aboutsummaryrefslogtreecommitdiffstats
path: root/main/rpcbind
diff options
context:
space:
mode:
authorEivind Uggedal <eivind@uggedal.com>2015-09-30 19:30:19 +0000
committerEivind Uggedal <eivind@uggedal.com>2015-09-30 19:30:19 +0000
commit9d6f28e9313b1f9f0f7762a082d89d7791144e8e (patch)
tree15c7eb66741ce847f3405b6cea642749317f9b3a /main/rpcbind
parent30dbccda05684a58b30f4756d3c45fad8894c896 (diff)
downloadaports-9d6f28e9313b1f9f0f7762a082d89d7791144e8e.tar.bz2
aports-9d6f28e9313b1f9f0f7762a082d89d7791144e8e.tar.xz
main/rpcbind: security fix for CVE-2015-7236
Diffstat (limited to 'main/rpcbind')
-rw-r--r--main/rpcbind/APKBUILD14
-rw-r--r--main/rpcbind/CVE-2015-7236.patch78
2 files changed, 87 insertions, 5 deletions
diff --git a/main/rpcbind/APKBUILD b/main/rpcbind/APKBUILD
index 05bb3f0485..4d12baf5c0 100644
--- a/main/rpcbind/APKBUILD
+++ b/main/rpcbind/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=rpcbind
pkgver=0.2.3
-pkgrel=0
+pkgrel=1
pkgdesc="portmap replacement which supports RPC over various protocols"
url="http://rpcbind.sourceforge.net"
arch="all"
@@ -16,7 +16,8 @@ source="$pkgname-$pkgver.tar.gz::http://git.infradead.org/users/steved/rpcbind.g
musl-sunrpc.patch
rpcbind.initd
rpcbind.confd
- 0001-Avoid-use-of-glibc-sys-cdefs.h-header.patch"
+ 0001-Avoid-use-of-glibc-sys-cdefs.h-header.patch
+ CVE-2015-7236.patch"
_builddir="$srcdir"/rpcbind-95cb04e
prepare() {
@@ -58,18 +59,21 @@ bea09b7ec434264756ec7c09da59b8bf 0002-uclibc-rpcsvc-defines.patch
7825226deb532d8b91380e5425304965 musl-sunrpc.patch
4fbc48760c73976457349150779b3b8b rpcbind.initd
2517c71cdb08f133b0d50055a44c56de rpcbind.confd
-cab57f0dcff8425e5a00241f6e75e64a 0001-Avoid-use-of-glibc-sys-cdefs.h-header.patch"
+cab57f0dcff8425e5a00241f6e75e64a 0001-Avoid-use-of-glibc-sys-cdefs.h-header.patch
+940f7bed3ee84d3f827a2bfd6f19c624 CVE-2015-7236.patch"
sha256sums="7d0bbc262138c5f9f2b42f53c1953bf5440379cfe3a926fc400926b44bba6d81 rpcbind-0.2.3.tar.gz
86f56219652ce4e8009b6bb28c8a970fff55fff22c244d10efbe6e097a2e66f9 0002-uclibc-rpcsvc-defines.patch
91b795f046e956ded5d16b77867a6c8199f4b221e4cab467865b16f26b8bfd32 musl-poll.patch
8852c055fa257113d3df3525a5600e6f02f4eacba29cf98a8c0c714e4551cfc9 musl-sunrpc.patch
ed0906acfda9f038776530ef56fcbea8627837f707682ce7311e10c7259cfb15 rpcbind.initd
55bcd47a4d0f194f09e6abb13695853459f869b54ce09ef051e55efcd8ad3903 rpcbind.confd
-a1af9dd7631205d35d8bae464b5eb9965ec16952fb9479d1e58dd2fbd40f3ec3 0001-Avoid-use-of-glibc-sys-cdefs.h-header.patch"
+a1af9dd7631205d35d8bae464b5eb9965ec16952fb9479d1e58dd2fbd40f3ec3 0001-Avoid-use-of-glibc-sys-cdefs.h-header.patch
+e7aafff7fe20a5d9fdb0f93a5b6824e136934f4fbb20d210f398e851cb13f419 CVE-2015-7236.patch"
sha512sums="632c1025a562adfd2487aa22f5d8f3a49b93a16beb202c7736eae7e466ca481f0b6ea4c71842bd577555ab823ba10ec8e13d78a6f1d15f57b3b23bcc5893bd61 rpcbind-0.2.3.tar.gz
205dcf072055f3ff0477b26f63be7e228244bcaeaf3670ad9f5a9a39faa9d58f89b9eb2a98d79059a749b6ff834d37c260e71a8b06507027e315b29152b2a94d 0002-uclibc-rpcsvc-defines.patch
9ff75b07622f12dd8363ad21709bd60addcb7d428aa9e181467e8da0c4ac087653934fdfb7bcec31c52b43a96a1829793cee18e68878d5cc69fa920865bdbad8 musl-poll.patch
f8782018825e176adcb323c93cdf44612914a7a71e12f2dd4afb1593c62b91709fcf62246cc4e57ae2527d117cb05eabfc8436958da524186490615bf50c0bd4 musl-sunrpc.patch
1cd655d86226a45fa3e927f8ac2bb580537644d2fb3684e0f4a956bf3721c95d95b8b8c1d9a2a742fb714eeba9277e0400a7493bf1bf676466d70adb2b35a88e rpcbind.initd
0641087162ebc8fb10c5cb329105261d77cad073daed3f9a6c92574177298cd8a19a87b62dde14161cc554b5e68680cfd870b5334f3cfd8d6074ec8a43f4dfe3 rpcbind.confd
-a2e2d2539b5943c93a9d44f11679ff5b7ca958b49040015a50e6a6bb865663031993e2888453b3c4ee0bef74f1eecc39a1b785ffcb1b596b156d24741154c2b5 0001-Avoid-use-of-glibc-sys-cdefs.h-header.patch"
+a2e2d2539b5943c93a9d44f11679ff5b7ca958b49040015a50e6a6bb865663031993e2888453b3c4ee0bef74f1eecc39a1b785ffcb1b596b156d24741154c2b5 0001-Avoid-use-of-glibc-sys-cdefs.h-header.patch
+c91628b6e5758a02790651d914f35c10d19807955721d910a4d391cde0071efee169cfddd788855677bc1d509fba3a1bc5e40601d327a5f7f8487ad8f06b197a CVE-2015-7236.patch"
diff --git a/main/rpcbind/CVE-2015-7236.patch b/main/rpcbind/CVE-2015-7236.patch
new file mode 100644
index 0000000000..29c3e1a6d0
--- /dev/null
+++ b/main/rpcbind/CVE-2015-7236.patch
@@ -0,0 +1,78 @@
+commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
+Author: Olaf Kirch <okir () suse de>
+Date: Thu Aug 6 16:27:20 2015 +0200
+
+ Fix memory corruption in PMAP_CALLIT code
+
+ - A PMAP_CALLIT call comes in on IPv4 UDP
+ - rpcbind duplicates the caller's address to a netbuf and stores it in
+ FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
+ with a size of 16 bytes
+ - rpcbind forwards the call to the local service, receives a reply
+ - when processing the reply, it does this in xprt_set_caller:
+ xprt->xp_rtaddr = *FINFO[0].caller_addr
+ It sends out the reply, and then frees the netbuf caller_addr and
+ caller_addr.buf.
+ However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
+ to memory region A, which is free.
+ - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
+ be called, which will set xp_rtaddr to the client's address.
+ It will reuse the buffer inside xp_rtaddr, ie it will write a
+ sockaddr_in to region A
+
+ Some time down the road, an incoming TCP connection is accepted,
+ allocating a fresh SVCXPRT. The memory region A is inside the
+ new SVCXPRT
+
+ - While processing the TCP call, another UDP call comes in, again
+ overwriting region A with the client's address
+ - TCP client closes connection. In svc_destroy, we now trip over
+ the garbage left in region A
+
+ We ran into the case where a commercial scanner was triggering
+ occasional rpcbind segfaults. The core file that was captured showed
+ a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
+
+ Signed-off-by: Olaf Kirch <okir () suse de>
+
+---
+ src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/src/rpcb_svc_com.c
++++ b/src/rpcb_svc_com.c
+@@ -1204,12 +1204,33 @@ check_rmtcalls(struct pollfd *pfds, int
+ return (ncallbacks_found);
+ }
+
++/*
++ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't
++ * been exported yet.
++ */
++static struct netbuf *
++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
++{
++ if (nb->len != len) {
++ if (nb->len)
++ mem_free(nb->buf, nb->len);
++ nb->buf = mem_alloc(len);
++ if (nb->buf == NULL)
++ return NULL;
++
++ nb->maxlen = nb->len = len;
++ }
++ memcpy(nb->buf, ptr, len);
++ return nb;
++}
++
+ static void
+ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
+ {
++ const struct netbuf *caller = fi->caller_addr;
+ u_int32_t *xidp;
+
+- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
++ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
+ xidp = __rpcb_get_dg_xidp(xprt);
+ *xidp = fi->caller_xid;
+ }