10410 – CVE-2013-1950: libtirpc - invalid pointer free leads to rpcbind daemon crash

Bug 10410 - CVE-2013-1950: libtirpc - invalid pointer free leads to rpcbind daemon crash

Summary: CVE-2013-1950: libtirpc - invalid pointer free leads to rpcbind daemon crash

Status:	RESOLVED INVALID

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-06-03 11:18 CEST by Oden Eriksson
Modified:	2013-06-03 13:42 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	libtirpc
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Oden Eriksson 2013-06-03 11:18:03 CEST

https://bugzilla.redhat.com/show_bug.cgi?id=948378

https://rhn.redhat.com/errata/RHSA-2013-0884.html

"A flaw was found in the way libtirpc decoded RPC requests. A
specially-crafted RPC request could cause libtirpc to attempt to free a
buffer provided by an application using the library, even when the buffer
was not dynamically allocated. This could cause an application using
libtirpc, such as rpcbind, to crash. (CVE-2013-1950)"

Fix here:

http://git.infradead.org/users/steved/libtirpc.git/commitdiff/a9f437119d79a438cb12e510f3cadd4060102c9f

Reproducible: 

Steps to Reproduce:

Comment 1 Oden Eriksson 2013-06-03 11:22:12 CEST

Whoops. The code is not present in libtirpc-0.2.2. No way to test as I don't own a Nessus license.

Comment 2 David Walser 2013-06-03 13:42:14 CEST

Yes, I already looked into this last week, the code isn't present in 0.2.2.

Status: NEW => RESOLVED
CC: (none) => luigiwalser
Resolution: (none) => INVALID

Note You need to log in before you can comment on or make changes to this bug.