Control: clone -1 -2 Control: reassign -2 src:ntirpc 1.4.3-3 Control: retitle -2 ntirpc: CVE-2017-8779
On Thu, May 04, 2017 at 05:01:11PM +0200, Salvatore Bonaccorso wrote: > Source: libtirpc > Version: 0.2.5-1 > Severity: grave > Tags: security upstream patch > Justification: user security hole > Control: clone -1 -2 > Control: reassign -2 src:rpcbind > Control: found -2 0.2.1-6 > > Hi, > > the following vulnerability was published for libtirpc. > > CVE-2017-8779[0]: > | rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through > | 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC > | data size during memory allocation for XDR strings, which allows remote > | attackers to cause a denial of service (memory consumption with no > | subsequent free) via a crafted UDP packet to port 111, aka rpcbomb. The same issue is affecting as well ntirpc. Thus cloning the bug. Regards, Salvatore
