Bug 30682 - libtirpc new security issue CVE-2021-46828
Summary: libtirpc new security issue CVE-2021-46828
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-07-29 17:37 CEST by David Walser
Modified: 2022-08-20 12:05 CEST (History)
5 users (show)

See Also:
Source RPM: libtirpc-1.3.1-1.mga8.src.rpm
CVE: CVE-2021-46828
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-07-29 17:37:06 CEST 
Ubuntu has issued an advisory on July 28:
https://ubuntu.com/security/notices/USN-5538-1

The issue is fixed upstream in 1.3.3rc1.

Mageia 8 is also affected.
David Walser 2022-07-29 17:37:30 CEST

Status comment: (none) => Fixed upstream in 1.3.3rc1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-07-30 20:53:03 CEST 
Assigning this globally in the absence of a visible maintainer.

(This bug is noted against v1.3.1, although Cauldron already has v1.3.2. Irrelevant seeing that the cure is in v1.3.3rc1).

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-08-08 17:12:00 CEST 
Debian has issued an advisory for this on August 7:
https://www.debian.org/security/2022/dsa-5200
Comment 3 Mike Rambo 2022-08-12 02:00:56 CEST 
Updated package built for cauldron and Mageia 8


Advisory:
========================

Patched libtirpc package fixes security vulnerability:

It was discovered that libtirpc incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service (CVE-2021-46828).


References:
https://ubuntu.com/security/notices/USN-5538-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46828
========================

Updated packages in core/updates_testing:
========================
lib64tirpc3-1.3.3-1.mga8
lib64tirpc-devel-1.3.3-1.mga8
libtirpc-1.3.3-1.mga8

from libtirpc-1.3.3-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2021-46828
Version: Cauldron => 8
Status comment: Fixed upstream in 1.3.3rc1 => (none)
Assignee: pkg-bugs => qa-bugs
CC: (none) => mhrambo3501

Comment 4 Herman Viaene 2022-08-19 11:22:09 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
Ref bug 20788 for testing
# systemctl  start rpcbind
# strace -o /home/tester8/Documents/libtirpc.txt rpcinfo
   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp       0.0.0.0.0.111          portmapper superuser
    100000    3    tcp       0.0.0.0.0.111          portmapper superuser
    100000    2    tcp       0.0.0.0.0.111          portmapper superuser
    100000    4    udp       0.0.0.0.0.111          portmapper superuser
    100000    3    udp       0.0.0.0.0.111          portmapper superuser
    100000    2    udp       0.0.0.0.0.111          portmapper superuser
    100000    4    local     /run/rpcbind.sock      portmapper superuser
    100000    3    local     /run/rpcbind.sock      portmapper superuser
Found ref. to libtirpc in trace file, so OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-08-19 14:05:40 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-08-20 02:49:57 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-08-20 12:05:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0288.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.