Debian Bug report logs -
#907608
libtirpc: CVE-2018-14622: Segmentation fault in makefd_xprt return value in svc_vc.c
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 30 Aug 2018 07:21:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version libtirpc/0.2.5-1
Fixed in versions libtirpc/1.0.2-0.1, libtirpc/0.2.5-1.3, libtirpc/0.2.5-1.2+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#907608; Package src:libtirpc.
(Thu, 30 Aug 2018 07:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Anibal Monsalve Salazar <anibal@debian.org>.
(Thu, 30 Aug 2018 07:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libtirpc
Version: 0.2.5-1
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for libtirpc.
CVE-2018-14622[0]:
Segmentation fault in makefd_xprt return value in svc_vc.c
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14622
[1] https://bugzilla.novell.com/show_bug.cgi?id=968175
[2] http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0
Regards,
Salvatore
Marked as fixed in versions libtirpc/1.0.2-0.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 30 Aug 2018 07:42:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#907608; Package src:libtirpc.
(Thu, 30 Aug 2018 13:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Thu, 30 Aug 2018 13:39:03 GMT) (full text, mbox, link).
Message #12 received at 907608@bugs.debian.org (full text, mbox, reply):
Note, there is potentially a CVE duplication here. CVE-2018-14622 and
CVE-2015-9265 both refer to the same commit.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#907608; Package src:libtirpc.
(Thu, 30 Aug 2018 14:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Thu, 30 Aug 2018 14:21:05 GMT) (full text, mbox, link).
Message #17 received at 907608@bugs.debian.org (full text, mbox, reply):
On Thu, Aug 30, 2018 at 03:35:54PM +0200, Salvatore Bonaccorso wrote:
> Note, there is potentially a CVE duplication here. CVE-2018-14622 and
> CVE-2015-9265 both refer to the same commit.
CVE-2015-9265 has been rejected in favour of CVE-2018-14622.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#907608; Package src:libtirpc.
(Fri, 31 Aug 2018 19:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Fri, 31 Aug 2018 19:57:03 GMT) (full text, mbox, link).
Message #22 received at 907608@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 907608 + pending
Dear maintainer,
I've prepared an NMU for libtirpc (versioned as 0.2.5-1.3) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[libtirpc-0.2.5-1.3-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 907608-submit@bugs.debian.org.
(Fri, 31 Aug 2018 19:57:03 GMT) (full text, mbox, link).
Added indication that bug 907608 blocks 907719
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 01 Sep 2018 20:03:03 GMT) (full text, mbox, link).
Removed indication that bug 907608 blocks 907719
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 01 Sep 2018 20:03:06 GMT) (full text, mbox, link).
Removed indication that bug 907608 blocks
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 01 Sep 2018 20:03:09 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 10 Sep 2018 20:39:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 10 Sep 2018 20:39:08 GMT) (full text, mbox, link).
Message #35 received at 907608-close@bugs.debian.org (full text, mbox, reply):
Source: libtirpc
Source-Version: 0.2.5-1.3
We believe that the bug you reported is fixed in the latest version of
libtirpc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 907608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libtirpc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Aug 2018 21:47:58 +0200
Source: libtirpc
Binary: libtirpc-dev libtirpc1
Architecture: source
Version: 0.2.5-1.3
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 907608
Description:
libtirpc-dev - transport-independent RPC library - development files
libtirpc1 - transport-independent RPC library
Changes:
libtirpc (0.2.5-1.3) unstable; urgency=medium
.
* Non-maintainer upload.
* rendezvous_request: check the makefd_xprt return value (CVE-2018-14622)
(Closes: #907608)
Checksums-Sha1:
fd96a1d2eff4d61d47fa3390446af0cf2c2ee51a 2010 libtirpc_0.2.5-1.3.dsc
a04c34547264677bbc5cf375270c3eaba6e30d4b 16016 libtirpc_0.2.5-1.3.debian.tar.xz
Checksums-Sha256:
5fda50599de55187814b81b8353195baf206f0883c3b3a370ec26d4b4aa52f67 2010 libtirpc_0.2.5-1.3.dsc
7378d6b87ac71aa0f00338a71ea8e6713260ed266cb62dcca82c15a383592cc5 16016 libtirpc_0.2.5-1.3.debian.tar.xz
Files:
bc39dd0a7306c5c4c8e80207bf177ae6 2010 libs standard libtirpc_0.2.5-1.3.dsc
2a199341b3ce0ee8384a1975d1651837 16016 libs standard libtirpc_0.2.5-1.3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluJnDtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EyJYP/RAkSkPgrc06Q8xfK7lwPUYGq7R/IiX0
XW6z/V/TFW6ohxCCc45FOv8DZIjT0U6RlIirkTyiA2ACTJiSD9Mp+73kMfLoljTe
4KwatUiAO2pqFs9UV3lIrh9RGWbKS8/ldbPPfh5rEVKCy5kslseco7+opVIWEK0u
kU6wjH7gTBjPjL3v207Pt2fiaqEzKYU344t4Y5ECcd+ueVaZylL0yzJ7gLo0HPMv
jPoX7zWJr/cXbmtpVaTfX1oJG2I5QKKcWDoqqEWoK2fclT21y6lSU8nY+jJQepzR
SCWvdGTZJXnpl7F24Yd7v/4LbKteH3ybsRwCO7WM1bkt+FbUXB8SppTK730o0XII
vetzFlCNwofQt9w5pMpvgjBIXX4FfGCs79X3peRWG5SLxwe7xz7SsLoAC4k1YL64
wJnyl0/xuHo6/EyNb5DJl9NlnlraIzO9JBVpVI89xGSv9kt0ripZq9XD9ax5/Er1
maX8o5PSDLdaCMrZC8FrCuv7GRmk5wqA6OE3ZZDR+GhRboATP4QPxV0P8eGIh00Q
9iv+OBIYTJz9KtXm8WeTN4OodzdelnRIrEmxJpSr5+1cWHPElNjnXJXQkVPuVh4x
bmWPzPPSEHeO8fz15oPeUMw2MFPPLRE7tbQGPhXXFKirkq5Rri5aNmBnzuFQjMU8
QY2CvJi2rnR2
=6DpM
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 04 Oct 2018 18:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 04 Oct 2018 18:51:03 GMT) (full text, mbox, link).
Message #40 received at 907608-close@bugs.debian.org (full text, mbox, reply):
Source: libtirpc
Source-Version: 0.2.5-1.2+deb9u1
We believe that the bug you reported is fixed in the latest version of
libtirpc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 907608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libtirpc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Aug 2018 21:56:01 +0200
Source: libtirpc
Binary: libtirpc-dev libtirpc1
Architecture: source
Version: 0.2.5-1.2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 907608
Description:
libtirpc-dev - transport-independent RPC library - development files
libtirpc1 - transport-independent RPC library
Changes:
libtirpc (0.2.5-1.2+deb9u1) stretch; urgency=medium
.
* Non-maintainer upload.
* rendezvous_request: check the makefd_xprt return value (CVE-2018-14622)
(Closes: #907608)
Checksums-Sha1:
a92e75e4ba31886310cbd6aedfe1fe1ebd9827bb 2038 libtirpc_0.2.5-1.2+deb9u1.dsc
064b0b74ac763c13da127ffcc6ba0e2bd2016e98 16028 libtirpc_0.2.5-1.2+deb9u1.debian.tar.xz
Checksums-Sha256:
c00b89b207a48a0a431728d2db50d9892702df14ffde63296ce424c317347165 2038 libtirpc_0.2.5-1.2+deb9u1.dsc
55f30a9aeb4597ad8dd725016afe3dd687542a54ef7c02cf0fada27c58fe2cf9 16028 libtirpc_0.2.5-1.2+deb9u1.debian.tar.xz
Files:
1f23001fe458afe0ced5ca30621abf26 2038 libs standard libtirpc_0.2.5-1.2+deb9u1.dsc
74e74cace3de5ff26e2da550c6dc74a2 16028 libs standard libtirpc_0.2.5-1.2+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluJnk1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EqjwP+wStYH5/V7ybkl/iYtX0GJhhbhVPELCA
Y9kxONkqO+e/msFRcqHBK48deYQHKukgiRhNT9JJgphMAICAxfX+tK5LojufS+c9
yfLSNj9zi6dKbzRvhGE5Ktx7r/mjSSYHtf9952AMAyBZP/+a2pOaDhcvkCevVw6u
mZhx5spTYeiatzXYfrIKWR38XfOvjFbnk95sJwYnPn6QXaKh6tIuF+CY9qUeSxvU
gla31l2W/SGXeXo214C5Fw9VAoKmGCG1w3eV1stF6FgWIaN4oxzpJ83E+H6wBnZ5
PH1qAYHa25lZIbpivNMwfFD8LZVhNZFlocJQtEHO7IozBhkdFB4241oOfqP2VGQm
+0GYKc4Cx0OI+EIam3QCiCtdqFqzJk7QIw0+T998OUGzbQqmuWTjo11x9NDDWQo5
OYTi++mWUuy27OHCQ6a5Nr3JDFqcPNWDI5lv7/uVT/XL04/dVeFhYODJ2Ejd3H42
JU9vrh6+zJaELlJZIZWcrEJQ4/O+yGm0hyQTlyqvuSDN1znxnPDfex5VmkLXYkEU
iG3Pwz0yvgKx4DsROMoWWa82mCCsWi4fCcf8XqhEXzfLAcIG/9s2BF6nl2drk576
Cl1Lyu5b8RyV1E9ds13drdIFRI5b7j+tnhOSvAiUZDL/ZkSQbMAwUuzA3/9ubjHW
diqLs23XxQPr
=M4GX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 15 Nov 2018 07:25:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:03:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon