From c39a54f431cc6ae61a09f8b06f3593939dd14c9b Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 4 May 2017 21:26:03 -0400 Subject: gnu: rpcbind, libtirpc: Fix CVE-2017-8779. * gnu/packages/patches/libtirpc-CVE-2017-8779.patch, gnu/packages/patches/rpcbind-CVE-2017-8779.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/onc-rpc.scm (rpcbind, libtirpc)[source]: Use them. --- gnu/local.mk | 2 + gnu/packages/onc-rpc.scm | 3 + gnu/packages/patches/libtirpc-CVE-2017-8779.patch | 263 ++++++++++++++++++++++ gnu/packages/patches/rpcbind-CVE-2017-8779.patch | 29 +++ 4 files changed, 297 insertions(+) create mode 100644 gnu/packages/patches/libtirpc-CVE-2017-8779.patch create mode 100644 gnu/packages/patches/rpcbind-CVE-2017-8779.patch diff --git a/gnu/local.mk b/gnu/local.mk index 97c291d27a..03412c65fb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -749,6 +749,7 @@ dist_patch_DATA = \ %D%/packages/patches/libtiff-invalid-read.patch \ %D%/packages/patches/libtiff-null-dereference.patch \ %D%/packages/patches/libtiff-tiffcp-underflow.patch \ + %D%/packages/patches/libtirpc-CVE-2017-8779.patch \ %D%/packages/patches/libtorrent-rasterbar-boost-compat.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunwind-CVE-2015-3239.patch \ @@ -929,6 +930,7 @@ dist_patch_DATA = \ %D%/packages/patches/readline-6.2-CVE-2014-2524.patch \ %D%/packages/patches/readline-7.0-mingw.patch \ %D%/packages/patches/ripperx-missing-file.patch \ + %D%/packages/patches/rpcbind-CVE-2017-8779.patch \ %D%/packages/patches/rpm-CVE-2014-8118.patch \ %D%/packages/patches/rsem-makefile.patch \ %D%/packages/patches/ruby-concurrent-ignore-broken-test.patch \ diff --git a/gnu/packages/onc-rpc.scm b/gnu/packages/onc-rpc.scm index c852f9a4a8..a76ac36eab 100644 --- a/gnu/packages/onc-rpc.scm +++ b/gnu/packages/onc-rpc.scm @@ -22,6 +22,7 @@ #:use-module (guix licenses) #:use-module (guix packages) #:use-module (guix download) + #:use-module (gnu packages) #:use-module (gnu packages kerberos) #:use-module (gnu packages pkg-config) #:use-module (guix build-system gnu)) @@ -35,6 +36,7 @@ (uri (string-append "mirror://sourceforge/libtirpc/libtirpc/" version "/libtirpc-" version ".tar.bz2")) + (patches (search-patches "libtirpc-CVE-2017-8779.patch")) (sha256 (base32 "17mqrdgsgp9m92pmq7bvr119svdg753prqqxmg4cnz5y657rfmji")))) @@ -74,6 +76,7 @@ IPv4 and IPv6. ONC RPC is notably used by the network file system (NFS).") (uri (string-append "mirror://sourceforge/" name "/" name "/" version "/" name "-" version ".tar.bz2")) + (patches (search-patches "rpcbind-CVE-2017-8779.patch")) (sha256 (base32 "0rjc867mdacag4yqvs827wqhkh27135rp9asj06ixhf71m9rljh7")))) diff --git a/gnu/packages/patches/libtirpc-CVE-2017-8779.patch b/gnu/packages/patches/libtirpc-CVE-2017-8779.patch new file mode 100644 index 0000000000..742e64df25 --- /dev/null +++ b/gnu/packages/patches/libtirpc-CVE-2017-8779.patch @@ -0,0 +1,263 @@ +Fix CVE-2017-8779: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 + +Patch copied from the bug reporter's 3rd-party repository: + +https://github.com/guidovranken/rpcbomb/blob/master/libtirpc_patch.txt + +diff --git a/src/rpc_generic.c b/src/rpc_generic.c +index 2f09a8f..589cbd5 100644 +--- a/src/rpc_generic.c ++++ b/src/rpc_generic.c +@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf) + + switch (af) { + case AF_INET: ++ if (nbuf->len < sizeof(*sin)) { ++ return NULL; ++ } + sin = nbuf->buf; + if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf) + == NULL) +@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf) + break; + #ifdef INET6 + case AF_INET6: ++ if (nbuf->len < sizeof(*sin6)) { ++ return NULL; ++ } + sin6 = nbuf->buf; + if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6) + == NULL) +@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr) + + port = 0; + sin = NULL; ++ if (uaddr == NULL) ++ return NULL; + addrstr = strdup(uaddr); + if (addrstr == NULL) + return NULL; +diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c +index 43fd385..a923c8e 100644 +--- a/src/rpcb_prot.c ++++ b/src/rpcb_prot.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include "rpc_com.h" + + bool_t + xdr_rpcb(xdrs, objp) +@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp) + if (!xdr_u_int32_t(xdrs, &objp->r_vers)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) { + return (FALSE); + } + return (TRUE); +@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp) + XDR *xdrs; + rpcb_entry *objp; + { +- if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) { + return (FALSE); + } + return (TRUE); +@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p) + bool_t dummy; + struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p; + +- if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_u_int(xdrs, &objp->results.results_len)) { +@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp) + if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) { + return (FALSE); + } ++ ++ if (objp->maxlen > RPC_MAXDATASIZE) { ++ return (FALSE); ++ } ++ + dummy = xdr_bytes(xdrs, (char **)&(objp->buf), + (u_int *)&(objp->len), objp->maxlen); + return (dummy); +diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c +index 08db745..28e6a48 100644 +--- a/src/rpcb_st_xdr.c ++++ b/src/rpcb_st_xdr.c +@@ -37,6 +37,7 @@ + + + #include ++#include "rpc_com.h" + + /* Link list of all the stats about getport and getaddr */ + +@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp) + if (!xdr_int(xdrs, &objp->failure)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + +@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) + IXDR_PUT_INT32(buf, objp->failure); + IXDR_PUT_INT32(buf, objp->indirect); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_pointer(xdrs, (char **)&objp->next, +@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) + objp->failure = (int)IXDR_GET_INT32(buf); + objp->indirect = (int)IXDR_GET_INT32(buf); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_pointer(xdrs, (char **)&objp->next, +@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) + if (!xdr_int(xdrs, &objp->indirect)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_pointer(xdrs, (char **)&objp->next, +diff --git a/src/xdr.c b/src/xdr.c +index f3fb9ad..b9a1558 100644 +--- a/src/xdr.c ++++ b/src/xdr.c +@@ -42,8 +42,10 @@ + #include + #include + ++#include + #include + #include ++#include + + typedef quad_t longlong_t; /* ANSI long long type */ + typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */ +@@ -53,7 +55,6 @@ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */ + */ + #define XDR_FALSE ((long) 0) + #define XDR_TRUE ((long) 1) +-#define LASTUNSIGNED ((u_int) 0-1) + + /* + * for unit alignment +@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) + { + char *sp = *cpp; /* sp is the actual string pointer */ + u_int nodesize; ++ bool_t ret, allocated = FALSE; + + /* + * first deal with the length since xdr bytes are counted +@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) + } + if (sp == NULL) { + *cpp = sp = mem_alloc(nodesize); ++ allocated = TRUE; + } + if (sp == NULL) { + warnx("xdr_bytes: out of memory"); +@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) + /* FALLTHROUGH */ + + case XDR_ENCODE: +- return (xdr_opaque(xdrs, sp, nodesize)); ++ ret = xdr_opaque(xdrs, sp, nodesize); ++ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { ++ if (allocated == TRUE) { ++ free(sp); ++ *cpp = NULL; ++ } ++ } ++ return (ret); + + case XDR_FREE: + if (sp != NULL) { +@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize) + char *sp = *cpp; /* sp is the actual string pointer */ + u_int size; + u_int nodesize; ++ bool_t ret, allocated = FALSE; + + /* + * first deal with the length since xdr strings are counted-strings +@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize) + switch (xdrs->x_op) { + + case XDR_DECODE: +- if (sp == NULL) ++ if (sp == NULL) { + *cpp = sp = mem_alloc(nodesize); ++ allocated = TRUE; ++ } + if (sp == NULL) { + warnx("xdr_string: out of memory"); + return (FALSE); +@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize) + /* FALLTHROUGH */ + + case XDR_ENCODE: +- return (xdr_opaque(xdrs, sp, size)); ++ ret = xdr_opaque(xdrs, sp, size); ++ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { ++ if (allocated == TRUE) { ++ free(sp); ++ *cpp = NULL; ++ } ++ } ++ return (ret); + + case XDR_FREE: + mem_free(sp, nodesize); +@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp) + XDR *xdrs; + char **cpp; + { +- return xdr_string(xdrs, cpp, LASTUNSIGNED); ++ return xdr_string(xdrs, cpp, RPC_MAXDATASIZE); + } + + /* diff --git a/gnu/packages/patches/rpcbind-CVE-2017-8779.patch b/gnu/packages/patches/rpcbind-CVE-2017-8779.patch new file mode 100644 index 0000000000..6ca93ff12b --- /dev/null +++ b/gnu/packages/patches/rpcbind-CVE-2017-8779.patch @@ -0,0 +1,29 @@ +Fix CVE-2017-8779: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 + +Patch copied from the bug reporter's 3rd-party repository: + +https://github.com/guidovranken/rpcbomb/blob/master/rpcbind_patch.txt + +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index 5862c26..e11f61b 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -48,6 +48,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -432,7 +433,7 @@ rpcbproc_taddr2uaddr_com(void *arg, struct svc_req *rqstp /*__unused*/, + static bool_t + xdr_encap_parms(XDR *xdrs, struct encap_parms *epp) + { +- return (xdr_bytes(xdrs, &(epp->args), (u_int *) &(epp->arglen), ~0)); ++ return (xdr_bytes(xdrs, &(epp->args), (u_int *) &(epp->arglen), RPC_MAXDATASIZE)); + } + + /* -- cgit v1.2.3