oss-sec mailing list archives
[CVE assignment notification] CVE-2013-1950 libtirpc: Invalid pointer free leads to rpcbind daemon crash (A different vulnerability than CVE-2003-0028)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 22 Apr 2013 11:14:59 -0400 (EDT)
Hello SteveCh, SteveD, vendors, originally Common Vulnerabilities and Exposures assigned the CVE-2003-0028 identifier to the following flaw: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0028 Testing original CVE-2003-0028 reproducer against recent rpcbind code, resulted into an invalid pointer free flaw to be found: [2] https://bugzilla.redhat.com/show_bug.cgi?id=948378#c0 Further issue context [3]: -------------------------- An invalid pointer free flaw was found in the way server side code implementation for connectionless RPC requests of libtirpc, a library implementing Transport-Independent RPC (TI-RPC), (previously) performed arguments retrieval (due to a regression in commit 82cc2e61 svc_dg_getargs() routine callers would crash with invalid pointer free). A remote attacker could issue a specially-crafted Sun RPC request that, when processed, would lead to rpcbind daemon crash. A different vulnerability than CVE-2003-0028. [3] https://bugzilla.redhat.com/show_bug.cgi?id=948378#c13 Particular upstream patch: [4] http://git.infradead.org/users/steved/libtirpc.git/commitdiff/a9f437119d79a438cb12e510f3cadd4060102c9f Note: While the original CVE-2003-0028 issue has been reported to possibly allow / lead to arbitrary code execution under certain circumstances, the current (CVE-2013-1950) is believed to be able to cause (remote) rpcbind daemon crash "only". Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- [CVE assignment notification] CVE-2013-1950 libtirpc: Invalid pointer free leads to rpcbind daemon crash (A different vulnerability than CVE-2003-0028) Jan Lieskovsky (Apr 22)