A security issue affecting rpcbind and libtirpc has been reported: http://openwall.com/lists/oss-security/2017/05/04/3 The suggested patches do apply cleanly in Cauldron. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Fixed in cauldron
Whiteboard: MGA5TOO => (none)CVE: (none) => CVE-2017-8779Version: Cauldron => 5CC: (none) => mageia
(In reply to Nicolas Lécureuil from comment #1) > Fixed in cauldron Thanks :-) Assigning to all packagers collectively, since there are no registered maintainers for rpcbind and libtirpc
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Debian has issued an advisory for this on May 8: https://www.debian.org/security/2017/dsa-3845
URL: (none) => http://www.linuxsecurity.com/content/view/171587/CC: (none) => zombie_ryushu
Patched packages uploaded for Mageia 5. Advisory: ======================== Updated rpcbind and libtirpc packages fix a security vulnerability: It was discovered that rpcbind and libtirpc contain a vulnerability that allows an attacker to allocate any amount of bytes (up to 4 gigabytes per attack) on a remote rpcbind host, and the memory is never freed unless the process crashes or the administrator halts or restarts the rpcbind service. This can slow down the system’s operations significantly or prevent other services from spawning processes entirely (CVE-2017-8779). References: http://openwall.com/lists/oss-security/2017/05/04/3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 ======================== Updated packages in core/updates_testing: ======================== rpcbind-0.2.2-1.2.mga5 rpcbind-debuginfo-0.2.2-1.2.mga5 from rpcbind-0.2.2-1.2.mga5.src.rpm lib64tirpc1-0.2.5-3.2.mga5 lib64tirpc-devel-0.2.5-3.2.mga5 libtirpc-0.2.5-3.2.mga5 libtirpc-debuginfo-0.2.5-3.2.mga5 from libtirpc-0.2.5-3.2.mga5.src.rpm Exploit code: https://github.com/guidovranken/rpcbomb. Testing procedure (rpcbind): https://bugs.mageia.org/show_bug.cgi?id=16769#c5
CC: (none) => mramboAssignee: pkg-bugs => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
MGA5-32 on Asus A6000 VM Xfce No installation issues. At CLI: # systemctl status rpcbind rpcbind.service - RPC bind service Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled) Active: active (running) since ma 2017-06-19 13:51:59 CEST; 17min ago Main PID: 17203 (rpcbind) CGroup: /system.slice/rpcbind.service 17203 /sbin/rpcbind -w # systemctl stop rpcbind Warning: Stopping rpcbind.service, but it can still be activated by: rpcbind.socket # systemctl start rpcbind # systemctl status rpcbind rpcbind.service - RPC bind service Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled) Active: active (running) since ma 2017-06-19 14:09:36 CEST; 4s ago Process: 29533 ExecStart=/sbin/rpcbind -w ${RPCBIND_ARGS} (code=exited, status=0/SUCCESS) Main PID: 29535 (rpcbind) CGroup: /system.slice/rpcbind.service 29535 /sbin/rpcbind -w
Whiteboard: advisory => advisory MGA5-32-OKCC: (none) => herman.viaene
Testing M5 x64 real hardware The exploit: https://github.com/guidovranken/rpcbomb/blob/master/rpcbomb.rb However, given the description of the fault in Comment 4 - a cumulative thing with undefined consequences - I declined to try it. Simple test given in https://bugs.mageia.org/show_bug.cgi?id=16769#c4 & the following comment. BEFORE the update: rpcbind-0.2.2-1.1.mga5 lib64tirpc1-0.2.5-3.1.mga5 libtirpc-0.2.5-3.1.mga5 # rpcinfo -p program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 42210 status 100024 1 tcp 34420 status # strace rpcinfo -p 2>&1 | grep tirpc open("/lib64/libtirpc.so.1", O_RDONLY|O_CLOEXEC) = 3 shows one library at least is called. AFTER the update: rpcbind-0.2.2-1.2.mga5 lib64tirpc1-0.2.5-3.2.mga5 libtirpc-0.2.5-3.2.mga5 # systemctl restart rpcbind.service # systemctl restart rpcbind.socket # rpcinfo -p program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 46464 status 100024 1 tcp 35371 status plus a lot more ports & services. Do not know why those were not displayed pre-update, but the difference should not be due to it, and look OK. Validating; advisory already done.
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0183.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED