main/rpcbind: upgrade to 0.2.4

4 files changed, 356 insertions, 13 deletions

diff --git a/main/rpcbind/APKBUILD b/main/rpcbind/APKBUILD
index 6a415e242f..cb8998c18f 100644
--- a/main/rpcbind/APKBUILD
+++ b/main/rpcbind/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=rpcbind
-pkgver=0.2.3
-pkgrel=3
+pkgver=0.2.4
+pkgrel=0
 pkgdesc="portmap replacement which supports RPC over various protocols"
 url="http://rpcbind.sourceforge.net"
 arch="all"
@@ -11,11 +11,17 @@ install="$pkgname.pre-install $pkgname.pre-upgrade"
 makedepends="libtirpc-dev autoconf automake bsd-compat-headers"
 subpackages="$pkgname-dbg $pkgname-doc"
 source="http://downloads.sourceforge.net/project/rpcbind/rpcbind/$pkgver/rpcbind-$pkgver.tar.bz2
-	git.patch
+	CVE-2017-8779.patch
+	pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
+	rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
 	rpcbind.initd
 	rpcbind.confd
 	"
 
+# secfixes:
+#   0.2.4-r0:
+#   - CVE-2017-8779
+
 builddir="$srcdir"/rpcbind-$pkgver
 prepare() {
 	cd "$builddir"
@@ -52,15 +58,9 @@ package() {
 	install -Dm644 "$srcdir"/rpcbind.confd "$pkgdir"/etc/conf.d/rpcbind
 	install -D -m644 COPYING "$pkgdir"/usr/share/licenses/rpcbind/COPYING
 }
-md5sums="c8875246b2688a1adfbd6ad43480278d  rpcbind-0.2.3.tar.bz2
-04c7ba5d58d6a45671987416da4cbaa4  git.patch
-4fbc48760c73976457349150779b3b8b  rpcbind.initd
-2517c71cdb08f133b0d50055a44c56de  rpcbind.confd"
-sha256sums="9897823a9d820ea011d9ea02054d5ab99469b9ca5346265fee380713c8fed27b  rpcbind-0.2.3.tar.bz2
-4bb0809463d4e18c81c1a1802edda1cc314e1a6890ad3a229cb0ef4723d0bf26  git.patch
-ed0906acfda9f038776530ef56fcbea8627837f707682ce7311e10c7259cfb15  rpcbind.initd
-55bcd47a4d0f194f09e6abb13695853459f869b54ce09ef051e55efcd8ad3903  rpcbind.confd"
-sha512sums="b91cb4e0849213d344063ccf32d16c49819906b65e4d07c4aa7d3c8842bd83acb408d07aa285da902c389f3c9716f01678012b93a11863eb174a2577cd6ba1d6  rpcbind-0.2.3.tar.bz2
-f797f5bd309a64955c0acdcab970ecef192f7849862e676ec361977abbb8f05ec36b839b94cf3abc71956e467ace2c2ebf5d190db2874f4249d5a7d0037a9751  git.patch
+sha512sums="f3966a7284e94bdf120a9b3f0dd66efa1fe8761df2313545a031f77b7c06e27d7955d2780469943deb537d34f95c4cf3f30de523ec9fab9f571322d7224b210c  rpcbind-0.2.4.tar.bz2
+cc3b7d72299279f6c7e7ce0329d29a8bc0c44a9e99c241cbbe8f34eba71ca16da7e87683a66e36565422dde9a3b03be8d6e345264495c6e2070f97116da32244  CVE-2017-8779.patch
+1ecce48807b276381ff3199916e0b85880b948086e7891aa35df8a10f9188641253572c330e5fee35afa69c5ce3965ebead14fbe8ef20c49a4e9047345e63c5e  pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
+a0125bd24a533366d7fcaed68e6671df65e3e39a4b18be2265f987602944d358666edef954f8707d24453331f7e96341739e5346bc1b233380c618b34a4014e2  rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
 1cd655d86226a45fa3e927f8ac2bb580537644d2fb3684e0f4a956bf3721c95d95b8b8c1d9a2a742fb714eeba9277e0400a7493bf1bf676466d70adb2b35a88e  rpcbind.initd
 0641087162ebc8fb10c5cb329105261d77cad073daed3f9a6c92574177298cd8a19a87b62dde14161cc554b5e68680cfd870b5334f3cfd8d6074ec8a43f4dfe3  rpcbind.confd"
diff --git a/main/rpcbind/CVE-2017-8779.patch b/main/rpcbind/CVE-2017-8779.patch
new file mode 100644
index 0000000000..d8fcfa113f
--- /dev/null
+++ b/main/rpcbind/CVE-2017-8779.patch
@@ -0,0 +1,218 @@
+From 7ea36eeece56b59f98e469934e4c20b4da043346 Mon Sep 17 00:00:00 2001
+From: Doran Moppert <dmoppert@redhat.com>
+Date: Thu, 11 May 2017 11:42:54 -0400
+Subject: [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to
+ avoid memory leak
+
+This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed
+at [1], [2], [3].  The last link suggests this issue is actually a bug
+in rpcbind, which led me here.
+
+The leak caused by the reproducer at [4] appears to come from
+rpcb_service_4(), in the case where svc_getargs() returns false and the
+function had an early return, rather than passing through the cleanup
+path at done:, as would otherwise occur.
+
+It also addresses a couple of other locations where the same fault seems
+to exist, though I haven't been able to exercise those.  I hope someone
+more intimate with rpc(3) can confirm my understanding is correct, and
+that I haven't introduced any new bugs.
+
+Without this patch, using the reproducer (and variants) repeatedly
+against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof
+rpcbind)/status reports VmSize increase of 976564 kB each call, and
+VmRSS increase of around 260 kB every 33 calls - the specific numbers
+are probably an artifact of my rhel/glibc version.  With the patch,
+there is a small (~50 kB) VmSize increase with the first message, but
+thereafter both VmSize and VmRSS remain steady.
+
+[1]: http://seclists.org/oss-sec/2017/q2/209
+[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124
+[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html
+[4]: https://github.com/guidovranken/rpcbomb/
+
+Signed-off-by: Doran Moppert <dmoppert@redhat.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/pmap_svc.c     | 56 +++++++++++++++++++++++++++++++++++++++++++++---------
+ src/rpcb_svc.c     |  2 +-
+ src/rpcb_svc_4.c   |  2 +-
+ src/rpcb_svc_com.c |  8 ++++++++
+ 4 files changed, 57 insertions(+), 11 deletions(-)
+
+diff --git a/src/pmap_svc.c b/src/pmap_svc.c
+index 4c744fe..e926cdc 100644
+--- a/src/pmap_svc.c
++++ b/src/pmap_svc.c
+@@ -175,6 +175,7 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
+ 	long ans;
+ 	uid_t uid;
+ 	char uidbuf[32];
++	int rc = TRUE;
+ 
+ 	/*
+ 	 * Can't use getpwnam here. We might end up calling ourselves
+@@ -194,7 +195,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
+ 
+ 	if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
+ 		svcerr_decode(xprt);
+-		return (FALSE);
++		rc = FALSE;
++		goto done;
+ 	}
+ #ifdef RPCBIND_DEBUG
+ 	if (debugging)
+@@ -205,7 +207,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
+ 
+ 	if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) {
+ 		svcerr_weakauth(xprt);
+-		return (FALSE);
++		rc = (FALSE);
++		goto done;
+ 	}
+ 
+ 	rpcbreg.r_prog = reg.pm_prog;
+@@ -258,7 +261,16 @@ done_change:
+ 		rpcbs_set(RPCBVERS_2_STAT, ans);
+ 	else
+ 		rpcbs_unset(RPCBVERS_2_STAT, ans);
+-	return (TRUE);
++done:
++	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
++		if (debugging) {
++			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
++			if (doabort) {
++				rpcbind_abort();
++			}
++		}
++	}
++	return (rc);
+ }
+ 
+ /* ARGSUSED */
+@@ -272,15 +284,18 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
+ #ifdef RPCBIND_DEBUG
+ 	char *uaddr;
+ #endif
++	int rc = TRUE;
+ 
+ 	if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
+ 		svcerr_decode(xprt);
+-		return (FALSE);
++		rc = FALSE;
++		goto done;
+ 	}
+ 
+ 	if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) {
+ 		svcerr_weakauth(xprt);
+-		return FALSE;
++		rc = FALSE;
++		goto done;
+ 	}
+ 
+ #ifdef RPCBIND_DEBUG
+@@ -330,21 +345,34 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
+ 		pmap_ipprot2netid(reg.pm_prot) ?: "<unknown>",
+ 		port ? udptrans : "");
+ 
+-	return (TRUE);
++done:
++	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
++		if (debugging) {
++			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
++			if (doabort) {
++				rpcbind_abort();
++			}
++		}
++	}
++	return (rc);
+ }
+ 
+ /* ARGSUSED */
+ static bool_t
+ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
+ {
++	int rc = TRUE;
++
+ 	if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) {
+ 		svcerr_decode(xprt);
+-		return (FALSE);
++		rc = FALSE;
++		goto done;
+ 	}
+ 
+ 	if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) {
+ 		svcerr_weakauth(xprt);
+-		return FALSE;
++		rc = FALSE;
++		goto done;
+ 	}
+ 	
+ 	if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr,
+@@ -354,7 +382,17 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
+ 			rpcbind_abort();
+ 		}
+ 	}
+-	return (TRUE);
++
++done:
++	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
++		if (debugging) {
++			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
++			if (doabort) {
++				rpcbind_abort();
++			}
++		}
++	}
++	return (rc);
+ }
+ 
+ int pmap_netid2ipprot(const char *netid)
+diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c
+index 709e3fb..091f530 100644
+--- a/src/rpcb_svc.c
++++ b/src/rpcb_svc.c
+@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp)
+ 		svcerr_decode(transp);
+ 		if (debugging)
+ 			(void) xlog(LOG_DEBUG, "rpcbind: could not decode");
+-		return;
++		goto done;
+ 	}
+ 
+ 	if (rqstp->rq_proc == RPCBPROC_SET
+diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c
+index 5094879..eebbbbe 100644
+--- a/src/rpcb_svc_4.c
++++ b/src/rpcb_svc_4.c
+@@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp)
+ 		svcerr_decode(transp);
+ 		if (debugging)
+ 			(void) xlog(LOG_DEBUG, "rpcbind: could not decode\n");
+-		return;
++		goto done;
+ 	}
+ 
+ 	if (rqstp->rq_proc == RPCBPROC_SET
+diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
+index 5862c26..cb63afd 100644
+--- a/src/rpcb_svc_com.c
++++ b/src/rpcb_svc_com.c
+@@ -927,6 +927,14 @@ error:
+ 	if (call_msg.rm_xid != 0)
+ 		(void) free_slot_by_xid(call_msg.rm_xid);
+ out:
++	if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
++		if (debugging) {
++			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
++			if (doabort) {
++				rpcbind_abort();
++			}
++		}
++	}
+ 	if (local_uaddr)
+ 		free(local_uaddr);
+ 	if (buf_alloc)
+-- 
+1.8.3.1
+
diff --git a/main/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch b/main/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
new file mode 100644
index 0000000000..fbe70d231e
--- /dev/null
+++ b/main/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
@@ -0,0 +1,29 @@
+From c49a7ea639eb700823e174fd605bbbe183e229aa Mon Sep 17 00:00:00 2001
+From: Steve Dickson <steved@redhat.com>
+Date: Wed, 17 May 2017 10:52:25 -0400
+Subject: [PATCH] pmapproc_dump: Fixed typo in memory leak patch
+
+commit 7ea36eee introduce a typo that caused
+NIS (aka ypbind) to fail.
+
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/pmap_svc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pmap_svc.c b/src/pmap_svc.c
+index e926cdc..26c31d0 100644
+--- a/src/pmap_svc.c
++++ b/src/pmap_svc.c
+@@ -384,7 +384,7 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
+ 	}
+ 
+ done:
+-	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
++	if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) {
+ 		if (debugging) {
+ 			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
+ 			if (doabort) {
+-- 
+1.8.3.1
+
diff --git a/main/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch b/main/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
new file mode 100644
index 0000000000..e907f0a9a2
--- /dev/null
+++ b/main/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
@@ -0,0 +1,96 @@
+From 7c7590ad536c0e24bef790cb1e65702fc54db566 Mon Sep 17 00:00:00 2001
+From: Steve Dickson <steved@redhat.com>
+Date: Tue, 30 May 2017 11:27:22 -0400
+Subject: [PATCH] rpcbproc_callit_com: Stop freeing a static pointer
+
+commit 7ea36ee introduced a svc_freeargs() call
+that ended up freeing static pointer.
+
+It turns out the allocations for the rmt_args
+is not necessary . The xdr routines (xdr_bytes) will
+handle the memory management and the largest
+possible message size is UDPMSGSIZE (due to UDP only)
+which is smaller than RPC_BUF_MAX
+
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/rpcb_svc_com.c | 39 ++++++---------------------------------
+ 1 file changed, 6 insertions(+), 33 deletions(-)
+
+diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
+index cb63afd..1fc2229 100644
+--- a/src/rpcb_svc_com.c
++++ b/src/rpcb_svc_com.c
+@@ -612,9 +612,9 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
+ 	struct netconfig *nconf;
+ 	struct netbuf *caller;
+ 	struct r_rmtcall_args a;
+-	char *buf_alloc = NULL, *outbufp;
++	char *outbufp;
+ 	char *outbuf_alloc = NULL;
+-	char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX];
++	char  outbuf[RPC_BUF_MAX];
+ 	struct netbuf *na = (struct netbuf *) NULL;
+ 	struct rpc_msg call_msg;
+ 	int outlen;
+@@ -635,36 +635,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
+ 	}
+ 	if (si.si_socktype != SOCK_DGRAM)
+ 		return;	/* Only datagram type accepted */
+-	sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE);
+-	if (sendsz == 0) {	/* data transfer not supported */
+-		if (reply_type == RPCBPROC_INDIRECT)
+-			svcerr_systemerr(transp);
+-		return;
+-	}
+-	/*
+-	 * Should be multiple of 4 for XDR.
+-	 */
+-	sendsz = ((sendsz + 3) / 4) * 4;
+-	if (sendsz > RPC_BUF_MAX) {
+-#ifdef	notyet
+-		buf_alloc = alloca(sendsz);		/* not in IDR2? */
+-#else
+-		buf_alloc = malloc(sendsz);
+-#endif	/* notyet */
+-		if (buf_alloc == NULL) {
+-			if (debugging)
+-				xlog(LOG_DEBUG,
+-					"rpcbproc_callit_com:  No Memory!\n");
+-			if (reply_type == RPCBPROC_INDIRECT)
+-				svcerr_systemerr(transp);
+-			return;
+-		}
+-		a.rmt_args.args = buf_alloc;
+-	} else {
+-		a.rmt_args.args = buf;
+-	}
++	sendsz = UDPMSGSIZE;
+ 
+ 	call_msg.rm_xid = 0;	/* For error checking purposes */
++	memset(&a, 0, sizeof(a)); /* Zero out the input buffer */
+ 	if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
+ 		if (reply_type == RPCBPROC_INDIRECT)
+ 			svcerr_decode(transp);
+@@ -704,7 +678,8 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
+ 	if (rbl == (rpcblist_ptr)NULL) {
+ #ifdef RPCBIND_DEBUG
+ 		if (debugging)
+-			xlog(LOG_DEBUG, "not found\n");
++			xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n", 
++				a.rmt_prog, a.rmt_vers);
+ #endif
+ 		if (reply_type == RPCBPROC_INDIRECT)
+ 			svcerr_noprog(transp);
+@@ -937,8 +912,6 @@ out:
+ 	}
+ 	if (local_uaddr)
+ 		free(local_uaddr);
+-	if (buf_alloc)
+-		free(buf_alloc);
+ 	if (outbuf_alloc)
+ 		free(outbuf_alloc);
+ 	if (na) {
+-- 
+1.8.3.1
+