Bug 16769

Summary: rpcbind new security issue CVE-2015-7236
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, yann.cantin
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/657992/
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: rpcbind-0.2.3-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2015-09-17 20:03:12 CEST 
A CVE has been assigned for a remote DoS issue reported upstream to rpcbind:
http://openwall.com/lists/oss-security/2015/09/17/6

The upstream mailing list post linked in the message above contains a suggested patch, which upstream hasn't taken any action on yet.  Upstream git is here:
http://git.linux-nfs.org/?p=steved/rpcbind.git;a=summary

Mageia 5 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-09-17 20:03:23 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2015-09-18 17:42:12 CEST 
Potentially more correct suggested patch here:
http://openwall.com/lists/oss-security/2015/09/18/7

We'll see what upstream thinks.
Comment 2 David Walser 2015-09-21 20:19:45 CEST 
Debian-LTS has issued an advisory for this on September 20:
http://lwn.net/Alerts/657976/

Upstream doesn't have a commit to fix this yet.

URL: (none) => http://lwn.net/Vulnerabilities/657992/

Comment 3 David Walser 2015-09-24 19:03:07 CEST 
Debian has issued an advisory for this on September 23:
https://www.debian.org/security/2015/dsa-3366

They used this patch from SuSE:
http://openwall.com/lists/oss-security/2015/09/18/7

Upstream still hasn't committed anything.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated rpcbind package fixes security vulnerability:

A remotely triggerable use-after-free vulnerability was found in rpcbind, a
server that converts RPC program numbers into universal addresses. A remote
attacker can take advantage of this flaw to mount a denial of service (rpcbind
crash) (CVE-2015-7236).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236
https://www.debian.org/security/2015/dsa-3366
========================

Updated packages in core/updates_testing:
========================
rpcbind-0.2.2-1.1.mga5

from rpcbind-0.2.2-1.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2015-09-24 21:18:54 CEST 
I don't see an obvious PoC for crashing rpcbind.  If you have the rpcbind.service enabled and running, you should be able to query it for available RPC services with the command "rpcinfo -p" (run locally) or "rpcinfo -p {IPAddress}" from a remote machine, replacing {IPAddress} with the machine running rpcbind's IP address (this assumes port 111 is not blocked by the firewall).

This worked fine for me on Mageia 5 i586.  Output looks like:
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  37811  status
    100024    1   tcp  36062  status

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 5 Yann Cantin 2015-09-24 21:39:10 CEST 
mga5 x86_64

Installed package :
rpcbind-0.2.2-1.1.mga5.x86_64.rpm


systemctl restart rpcbind.service
systemctl restart rpcbind.socket

rpcinfo -p output Ok.

Update OK.

CC: (none) => yann.cantin
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 6 claire robinson 2015-09-25 17:23:51 CEST 
Well done Yann!

Validating. Advisory uploaded.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-09-25 20:44:12 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0383.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED