Bug 30682 - libtirpc new security issue CVE-2021-46828
Summary: libtirpc new security issue CVE-2021-46828
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-07-29 17:37 CEST by David Walser
Modified: 2022-08-20 12:05 CEST (History)
5 users (show)

See Also:
Source RPM: libtirpc-1.3.1-1.mga8.src.rpm
CVE: CVE-2021-46828
Status comment:


Description David Walser 2022-07-29 17:37:06 CEST
Ubuntu has issued an advisory on July 28:

The issue is fixed upstream in 1.3.3rc1.

Mageia 8 is also affected.
David Walser 2022-07-29 17:37:30 CEST

Status comment: (none) => Fixed upstream in 1.3.3rc1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-07-30 20:53:03 CEST
Assigning this globally in the absence of a visible maintainer.

(This bug is noted against v1.3.1, although Cauldron already has v1.3.2. Irrelevant seeing that the cure is in v1.3.3rc1).

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-08-08 17:12:00 CEST
Debian has issued an advisory for this on August 7:
Comment 3 Mike Rambo 2022-08-12 02:00:56 CEST
Updated package built for cauldron and Mageia 8


Patched libtirpc package fixes security vulnerability:

It was discovered that libtirpc incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service (CVE-2021-46828).


Updated packages in core/updates_testing:

from libtirpc-1.3.3-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2021-46828
Version: Cauldron => 8
Status comment: Fixed upstream in 1.3.3rc1 => (none)
Assignee: pkg-bugs => qa-bugs
CC: (none) => mhrambo3501

Comment 4 Herman Viaene 2022-08-19 11:22:09 CEST
MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
Ref bug 20788 for testing
# systemctl  start rpcbind
# strace -o /home/tester8/Documents/libtirpc.txt rpcinfo
   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp          portmapper superuser
    100000    3    tcp          portmapper superuser
    100000    2    tcp          portmapper superuser
    100000    4    udp          portmapper superuser
    100000    3    udp          portmapper superuser
    100000    2    udp          portmapper superuser
    100000    4    local     /run/rpcbind.sock      portmapper superuser
    100000    3    local     /run/rpcbind.sock      portmapper superuser
Found ref. to libtirpc in trace file, so OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-08-19 14:05:40 CEST
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-08-20 02:49:57 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-08-20 12:05:32 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.