Bug 20788

Summary: libtirpc, rpcbind new security issue CVE-2017-8779
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, lewyssmith, mageia, marja11, mhrambo3501, sysadmin-bugs, zombie_ryushu
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.linuxsecurity.com/content/view/171587/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: rpcbind, libtirpc CVE: CVE-2017-8779
Status comment:

Description David Walser 2017-05-05 23:46:41 CEST 
A security issue affecting rpcbind and libtirpc has been reported:
http://openwall.com/lists/oss-security/2017/05/04/3

The suggested patches do apply cleanly in Cauldron.

Mageia 5 is also affected.
David Walser 2017-05-05 23:46:52 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-05-06 00:45:58 CEST 
Fixed in cauldron

Whiteboard: MGA5TOO => (none)
CVE: (none) => CVE-2017-8779
Version: Cauldron => 5
CC: (none) => mageia

Comment 2 Marja Van Waes 2017-05-06 23:47:21 CEST 
(In reply to Nicolas Lécureuil from comment #1)
> Fixed in cauldron

Thanks :-)


Assigning to all packagers collectively, since there are no registered maintainers for rpcbind and libtirpc

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 3 David Walser 2017-05-09 16:43:00 CEST 
Debian has issued an advisory for this on May 8:
https://www.debian.org/security/2017/dsa-3845
Zombie Ryushu 2017-05-27 06:31:03 CEST

URL: (none) => http://www.linuxsecurity.com/content/view/171587/
CC: (none) => zombie_ryushu

Comment 4 Mike Rambo 2017-06-14 19:16:58 CEST 
Patched packages uploaded for Mageia 5.

Advisory:
========================

Updated rpcbind and libtirpc packages fix a security vulnerability:

It was discovered that rpcbind and libtirpc contain a vulnerability that allows an attacker to allocate any amount of bytes (up to 4 gigabytes per attack) on a remote rpcbind host, and the memory is never freed unless the process crashes or the administrator halts or restarts the rpcbind service.  This can slow down the system’s operations significantly or prevent other services from spawning processes entirely (CVE-2017-8779).

References:
http://openwall.com/lists/oss-security/2017/05/04/3
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
========================

Updated packages in core/updates_testing:
========================
rpcbind-0.2.2-1.2.mga5
rpcbind-debuginfo-0.2.2-1.2.mga5

from rpcbind-0.2.2-1.2.mga5.src.rpm

lib64tirpc1-0.2.5-3.2.mga5
lib64tirpc-devel-0.2.5-3.2.mga5
libtirpc-0.2.5-3.2.mga5
libtirpc-debuginfo-0.2.5-3.2.mga5

from libtirpc-0.2.5-3.2.mga5.src.rpm


Exploit code: https://github.com/guidovranken/rpcbomb.

Testing procedure (rpcbind): https://bugs.mageia.org/show_bug.cgi?id=16769#c5

CC: (none) => mrambo
Assignee: pkg-bugs => qa-bugs

Dave Hodgins 2017-06-18 08:01:55 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 5 Herman Viaene 2017-06-19 14:13:11 CEST 
MGA5-32 on Asus A6000 VM Xfce
No installation issues.
At CLI:
# systemctl status rpcbind
 rpcbind.service - RPC bind service
   Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled)
   Active: active (running) since ma 2017-06-19 13:51:59 CEST; 17min ago
 Main PID: 17203 (rpcbind)
   CGroup: /system.slice/rpcbind.service
           17203 /sbin/rpcbind -w

# systemctl stop rpcbind
Warning: Stopping rpcbind.service, but it can still be activated by:
  rpcbind.socket

# systemctl start rpcbind

# systemctl status rpcbind
 rpcbind.service - RPC bind service
   Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled)
   Active: active (running) since ma 2017-06-19 14:09:36 CEST; 4s ago
  Process: 29533 ExecStart=/sbin/rpcbind -w ${RPCBIND_ARGS} (code=exited, status=0/SUCCESS)
 Main PID: 29535 (rpcbind)
   CGroup: /system.slice/rpcbind.service
           29535 /sbin/rpcbind -w

Whiteboard: advisory => advisory MGA5-32-OK
CC: (none) => herman.viaene

Comment 6 Lewis Smith 2017-06-26 22:54:13 CEST 
Testing M5 x64 real hardware

The exploit: https://github.com/guidovranken/rpcbomb/blob/master/rpcbomb.rb
However, given the description of the fault in Comment 4 - a cumulative thing with undefined consequences - I declined to try it.
Simple test given in https://bugs.mageia.org/show_bug.cgi?id=16769#c4
& the following comment.

BEFORE the update:
 rpcbind-0.2.2-1.1.mga5
 lib64tirpc1-0.2.5-3.1.mga5
 libtirpc-0.2.5-3.1.mga5

 # rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  42210  status
    100024    1   tcp  34420  status

 # strace rpcinfo -p 2>&1 | grep tirpc
 open("/lib64/libtirpc.so.1", O_RDONLY|O_CLOEXEC) = 3
shows one library at least is called.

AFTER the update:
 rpcbind-0.2.2-1.2.mga5
 lib64tirpc1-0.2.5-3.2.mga5
 libtirpc-0.2.5-3.2.mga5

 # systemctl restart rpcbind.service
 # systemctl restart rpcbind.socket
 # rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  46464  status
    100024    1   tcp  35371  status
plus a lot more ports & services. Do not know why those were not displayed pre-update, but the difference should not be due to it, and look OK.

Validating; advisory already done.

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Mageia Robot 2017-06-26 23:44:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0183.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED