Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Gentoo: GLSA-202309-12 Moderate: Libpng Security Vulnerability

gentoo
Calendar Grey June 6, 2017
Scroller Gentoo
The libtirpc and RPCBind security flaw can lead to Denial of Service through remote exploitation; users are advised to perform updates promptly.
A vulnerability has been found in Libtirpc and RPCBind which may allow a remote attacker to cause a Denial of Service condition.

Summary

It was found that due to the way RPCBind uses libtirpc (libntirpc), a memory leak can occur when parsing specially crafted XDR messages.

Resolution

All RPCBind users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-nds/rpcbind-0.2.4-r"
All Libtirpc users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libtirpc-1.0.1-r1"

References

[ 1 ] CVE-2017-8779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8779

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-07
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
important
Lowest
Low
Medium
High
Critical

Severity: Normal
Title: Libtirpc and RPCBind: Denial of Service
Date: June 06, 2017
Bugs: #617472
ID: 201706-07

Synopsis

A vulnerability has been found in Libtirpc and RPCBind which may allow a remote attacker to cause a Denial of Service condition.

Background

The RPCBind utility is a server that converts RPC program numbers into universal addresses. Libtirpc is a port of Suns Transport-Independent RPC library to Linux.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-nds/rpcbind < 0.2.4-r >= 0.2.4-r 2 net-libs/libtirpc < 1.0.1-r1 >= 1.0.1-r1 ------------------------------------------------------------------- 2 affected packages

Impact

===== A remote attacker could send thousands of messages to RPCBind, possibly resulting in a Denial of Service condition.

Workaround

There is no known workaround at this time.