oss-sec mailing list archives

Re: CVE Request: remote triggerable use-after-free in rpcbind

From: Steve Dickson <SteveD () redhat com>
Date: Thu, 17 Sep 2015 16:12:29 -0400



On 09/17/2015 08:23 AM, Marcus Meissner wrote:

Hi,

One of our customers saw rpcbind crashing on a remote security scan.
Olaf Kirch identified and fixed the problem:

http://www.spinics.net/lists/linux-nfs/msg53045.html
https://bugzilla.suse.com/show_bug.cgi?id=946204

It so far has not been integrated into rpcbind upstream.

This is a use-after-free, so at least remote denial of service.
We have not researched further exploitability.


In Olaf's patch there is a call to __rpc_set_netbuf() which is
not visible in the upstream libtirpc lib... Did  Olaf roll his own or
changed libtirpc to make it visible? 

steved.

Current thread:

CVE Request: remote triggerable use-after-free in rpcbind Marcus Meissner (Sep 17)
- Re: CVE Request: remote triggerable use-after-free in rpcbind cve-assign (Sep 17)
  - Re: CVE Request: remote triggerable use-after-free in rpcbind Steve Dickson (Sep 17)
    - Re: CVE Request: remote triggerable use-after-free in rpcbind Marcus Meissner (Sep 17)
    - Re: CVE Request: remote triggerable use-after-free in rpcbind Steve Dickson (Sep 17)
    - Re: CVE Request: remote triggerable use-after-free in rpcbind Marcus Meissner (Sep 17)
    - Re: Re: CVE Request: remote triggerable use-after-free in rpcbind Kurt Seifried (Sep 17)
- Re: CVE Request: remote triggerable use-after-free in rpcbind Steve Dickson (Sep 17)
  - Re: Re: CVE Request: remote triggerable use-after-free in rpcbind Olaf Kirch (Sep 18)