diff options
author | Eivind Uggedal <eivind@uggedal.com> | 2015-09-30 19:38:13 +0000 |
---|---|---|
committer | Eivind Uggedal <eivind@uggedal.com> | 2015-10-01 08:02:48 +0000 |
commit | dc8c84b12bbcb39866abb39dae0ddd35d837c5e5 (patch) | |
tree | c5ab79d8a2bc7dc1e52b34abf736befb753e2b6d | |
parent | 560c72db5cabba19ca9f2dfcdf4e6943af9f1634 (diff) | |
download | aports-dc8c84b12bbcb39866abb39dae0ddd35d837c5e5.tar.bz2 aports-dc8c84b12bbcb39866abb39dae0ddd35d837c5e5.tar.xz |
main/rpcbind: security fix for CVE-2015-7236
-rw-r--r-- | main/rpcbind/APKBUILD | 14 | ||||
-rw-r--r-- | main/rpcbind/CVE-2015-7236.patch | 78 |
2 files changed, 87 insertions, 5 deletions
diff --git a/main/rpcbind/APKBUILD b/main/rpcbind/APKBUILD index f99eaaac0e..5ea75b61ae 100644 --- a/main/rpcbind/APKBUILD +++ b/main/rpcbind/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=rpcbind pkgver=0.2.1 -pkgrel=1 +pkgrel=2 pkgdesc="portmap replacement which supports RPC over various protocols" url="http://rpcbind.sourceforge.net" arch="all" @@ -14,7 +14,8 @@ source="http://downloads.sourceforge.net/sourceforge/$pkgname/$pkgname-$pkgver.t 0002-uclibc-rpcsvc-defines.patch rpcbind-0.2.1-rpcuser.patch rpcbind.initd - rpcbind.confd" + rpcbind.confd + CVE-2015-7236.patch" _builddir="$srcdir"/$pkgname-$pkgver prepare() { @@ -53,14 +54,17 @@ md5sums="0a5f9c2142af814c55d957aaab3bcc68 rpcbind-0.2.1.tar.bz2 944234c5ef6902d25bd6dfc95f979ed6 0002-uclibc-rpcsvc-defines.patch 05a4f6558dbfe4c69574ff3a8fee250d rpcbind-0.2.1-rpcuser.patch 381a2722c69b4597af532381f1ffeae0 rpcbind.initd -2517c71cdb08f133b0d50055a44c56de rpcbind.confd" +2517c71cdb08f133b0d50055a44c56de rpcbind.confd +940f7bed3ee84d3f827a2bfd6f19c624 CVE-2015-7236.patch" sha256sums="da169ff877a5a07581fad50a9a808ac6e96f0c277a3df49a7ef005778428496e rpcbind-0.2.1.tar.bz2 a1970cbe4bcc4704dba49e4a2c5be5105a631d9067c4d5cb5b073e62b5d90c65 0002-uclibc-rpcsvc-defines.patch ba5d2f25b9c06b057da97418fd479b511e1d16dc7f300173383c33904f1890bd rpcbind-0.2.1-rpcuser.patch 674d5af3957c81ff4bd97811d88e064b75f742c351b63c51c397d3779fb57604 rpcbind.initd -55bcd47a4d0f194f09e6abb13695853459f869b54ce09ef051e55efcd8ad3903 rpcbind.confd" +55bcd47a4d0f194f09e6abb13695853459f869b54ce09ef051e55efcd8ad3903 rpcbind.confd +e7aafff7fe20a5d9fdb0f93a5b6824e136934f4fbb20d210f398e851cb13f419 CVE-2015-7236.patch" sha512sums="5ec1e25c64ad3cd80fc2f14ced64a331afbe896fb3da54c812e3c4a78a69df181f607492762fe852732cc0ac9bd87ee118760b9e7fad2b3f028d581fecc93849 rpcbind-0.2.1.tar.bz2 8750c9b2b44daf42f35ec1c72c52497872724cd40951f7f3d34ca60cab9e291eb00f3b2d0ca9b0985c0877a80f8279a35f14a1ecf64a991e8650af5221a094f6 0002-uclibc-rpcsvc-defines.patch f9836d2a0d4fa11a9033bdf654637645e977d27e01e6fe232f67d92e9c6ffb4124d9191101148cb9cf4df2672b020f5cfebc5f3d54fd5e592c6283ebc29f9833 rpcbind-0.2.1-rpcuser.patch 9fb26b3a496c616a36f85a3af5580fb364bf404ae040ba8719d30dbdea0ea906cf07e1bc1b4c5f6e4b95b121bbd5b5c687ae17cf26617b2b2981ff7e3ef6d83b rpcbind.initd -0641087162ebc8fb10c5cb329105261d77cad073daed3f9a6c92574177298cd8a19a87b62dde14161cc554b5e68680cfd870b5334f3cfd8d6074ec8a43f4dfe3 rpcbind.confd" +0641087162ebc8fb10c5cb329105261d77cad073daed3f9a6c92574177298cd8a19a87b62dde14161cc554b5e68680cfd870b5334f3cfd8d6074ec8a43f4dfe3 rpcbind.confd +c91628b6e5758a02790651d914f35c10d19807955721d910a4d391cde0071efee169cfddd788855677bc1d509fba3a1bc5e40601d327a5f7f8487ad8f06b197a CVE-2015-7236.patch" diff --git a/main/rpcbind/CVE-2015-7236.patch b/main/rpcbind/CVE-2015-7236.patch new file mode 100644 index 0000000000..29c3e1a6d0 --- /dev/null +++ b/main/rpcbind/CVE-2015-7236.patch @@ -0,0 +1,78 @@ +commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd +Author: Olaf Kirch <okir () suse de> +Date: Thu Aug 6 16:27:20 2015 +0200 + + Fix memory corruption in PMAP_CALLIT code + + - A PMAP_CALLIT call comes in on IPv4 UDP + - rpcbind duplicates the caller's address to a netbuf and stores it in + FINFO[0].caller_addr. caller_addr->buf now points to a memory region A + with a size of 16 bytes + - rpcbind forwards the call to the local service, receives a reply + - when processing the reply, it does this in xprt_set_caller: + xprt->xp_rtaddr = *FINFO[0].caller_addr + It sends out the reply, and then frees the netbuf caller_addr and + caller_addr.buf. + However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers + to memory region A, which is free. + - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will + be called, which will set xp_rtaddr to the client's address. + It will reuse the buffer inside xp_rtaddr, ie it will write a + sockaddr_in to region A + + Some time down the road, an incoming TCP connection is accepted, + allocating a fresh SVCXPRT. The memory region A is inside the + new SVCXPRT + + - While processing the TCP call, another UDP call comes in, again + overwriting region A with the client's address + - TCP client closes connection. In svc_destroy, we now trip over + the garbage left in region A + + We ran into the case where a commercial scanner was triggering + occasional rpcbind segfaults. The core file that was captured showed + a corrupted xprt->xp_netid pointer that was really a sockaddr_in. + + Signed-off-by: Olaf Kirch <okir () suse de> + +--- + src/rpcb_svc_com.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -1204,12 +1204,33 @@ check_rmtcalls(struct pollfd *pfds, int + return (ncallbacks_found); + } + ++/* ++ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't ++ * been exported yet. ++ */ ++static struct netbuf * ++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len) ++{ ++ if (nb->len != len) { ++ if (nb->len) ++ mem_free(nb->buf, nb->len); ++ nb->buf = mem_alloc(len); ++ if (nb->buf == NULL) ++ return NULL; ++ ++ nb->maxlen = nb->len = len; ++ } ++ memcpy(nb->buf, ptr, len); ++ return nb; ++} ++ + static void + xprt_set_caller(SVCXPRT *xprt, struct finfo *fi) + { ++ const struct netbuf *caller = fi->caller_addr; + u_int32_t *xidp; + +- *(svc_getrpccaller(xprt)) = *(fi->caller_addr); ++ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len); + xidp = __rpcb_get_dg_xidp(xprt); + *xidp = fi->caller_xid; + } |