Bug 10410

Summary: CVE-2013-1950: libtirpc - invalid pointer free leads to rpcbind daemon crash
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser
Version: 2   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: libtirpc CVE:
Status comment:

Description Oden Eriksson 2013-06-03 11:18:03 CEST 
https://bugzilla.redhat.com/show_bug.cgi?id=948378

https://rhn.redhat.com/errata/RHSA-2013-0884.html

"A flaw was found in the way libtirpc decoded RPC requests. A
specially-crafted RPC request could cause libtirpc to attempt to free a
buffer provided by an application using the library, even when the buffer
was not dynamically allocated. This could cause an application using
libtirpc, such as rpcbind, to crash. (CVE-2013-1950)"

Fix here:

http://git.infradead.org/users/steved/libtirpc.git/commitdiff/a9f437119d79a438cb12e510f3cadd4060102c9f

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-06-03 11:22:12 CEST 
Whoops. The code is not present in libtirpc-0.2.2. No way to test as I don't own a Nessus license.
Comment 2 David Walser 2013-06-03 13:42:14 CEST 
Yes, I already looked into this last week, the code isn't present in 0.2.2.

Status: NEW => RESOLVED
CC: (none) => luigiwalser
Resolution: (none) => INVALID