Bug 16769 - rpcbind new security issue CVE-2015-7236
Summary: rpcbind new security issue CVE-2015-7236
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/657992/
Whiteboard: has_procedure advisory MGA5-32-OK MGA...
Keywords: validated_update
Depends on:
Reported: 2015-09-17 20:03 CEST by David Walser
Modified: 2015-09-25 20:44 CEST (History)
2 users (show)

See Also:
Source RPM: rpcbind-0.2.3-1.mga6.src.rpm
Status comment:


Description David Walser 2015-09-17 20:03:12 CEST
A CVE has been assigned for a remote DoS issue reported upstream to rpcbind:

The upstream mailing list post linked in the message above contains a suggested patch, which upstream hasn't taken any action on yet.  Upstream git is here:

Mageia 5 is also affected.


Steps to Reproduce:
David Walser 2015-09-17 20:03:23 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2015-09-18 17:42:12 CEST
Potentially more correct suggested patch here:

We'll see what upstream thinks.
Comment 2 David Walser 2015-09-21 20:19:45 CEST
Debian-LTS has issued an advisory for this on September 20:

Upstream doesn't have a commit to fix this yet.

URL: (none) => http://lwn.net/Vulnerabilities/657992/

Comment 3 David Walser 2015-09-24 19:03:07 CEST
Debian has issued an advisory for this on September 23:

They used this patch from SuSE:

Upstream still hasn't committed anything.

Patched packages uploaded for Mageia 5 and Cauldron.


Updated rpcbind package fixes security vulnerability:

A remotely triggerable use-after-free vulnerability was found in rpcbind, a
server that converts RPC program numbers into universal addresses. A remote
attacker can take advantage of this flaw to mount a denial of service (rpcbind
crash) (CVE-2015-7236).


Updated packages in core/updates_testing:

from rpcbind-0.2.2-1.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2015-09-24 21:18:54 CEST
I don't see an obvious PoC for crashing rpcbind.  If you have the rpcbind.service enabled and running, you should be able to query it for available RPC services with the command "rpcinfo -p" (run locally) or "rpcinfo -p {IPAddress}" from a remote machine, replacing {IPAddress} with the machine running rpcbind's IP address (this assumes port 111 is not blocked by the firewall).

This worked fine for me on Mageia 5 i586.  Output looks like:
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  37811  status
    100024    1   tcp  36062  status

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 5 Yann Cantin 2015-09-24 21:39:10 CEST
mga5 x86_64

Installed package :

systemctl restart rpcbind.service
systemctl restart rpcbind.socket

rpcinfo -p output Ok.

Update OK.

CC: (none) => yann.cantin
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 6 claire robinson 2015-09-25 17:23:51 CEST
Well done Yann!

Validating. Advisory uploaded.

Please push to 5 updates


Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-09-25 20:44:12 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.