Dear maintainer,
I've prepared an NMU for libtirpc (versioned as 0.2.5-1.2). The diff is attached to this message. Regards, Salvatore
diff -Nru libtirpc-0.2.5/debian/changelog libtirpc-0.2.5/debian/changelog --- libtirpc-0.2.5/debian/changelog 2016-12-21 23:12:21.000000000 +0100 +++ libtirpc-0.2.5/debian/changelog 2017-05-05 17:24:41.000000000 +0200 @@ -1,3 +1,11 @@ +libtirpc (0.2.5-1.2) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2017-8779: Memory leak when failing to parse XDR strings or bytearrays + (Closes: #861834) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 05 May 2017 17:24:41 +0200 + libtirpc (0.2.5-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libtirpc-0.2.5/debian/patches/11-CVE-2017-8779.diff libtirpc-0.2.5/debian/patches/11-CVE-2017-8779.diff --- libtirpc-0.2.5/debian/patches/11-CVE-2017-8779.diff 1970-01-01 01:00:00.000000000 +0100 +++ libtirpc-0.2.5/debian/patches/11-CVE-2017-8779.diff 2017-05-05 17:24:41.000000000 +0200 @@ -0,0 +1,255 @@ +Description: CVE-2017-8779: Memory leak when failing to parse XDR strings or bytearrays +Origin: vendor +Bug-Debian: https://bugs.debian.org/861834 +Forwarded: not-needed +Author: Guido Vranken <guidovran...@gmail.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2017-05-05 + +--- a/src/rpc_generic.c ++++ b/src/rpc_generic.c +@@ -620,6 +620,9 @@ __rpc_taddr2uaddr_af(int af, const struc + + switch (af) { + case AF_INET: ++ if (nbuf->len < sizeof(*sin)) { ++ return NULL; ++ } + sin = nbuf->buf; + if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf) + == NULL) +@@ -631,6 +634,9 @@ __rpc_taddr2uaddr_af(int af, const struc + break; + #ifdef INET6 + case AF_INET6: ++ if (nbuf->len < sizeof(*sin6)) { ++ return NULL; ++ } + sin6 = nbuf->buf; + if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6) + == NULL) +@@ -673,6 +679,8 @@ __rpc_uaddr2taddr_af(int af, const char + + port = 0; + sin = NULL; ++ if (uaddr == NULL) ++ return NULL; + addrstr = strdup(uaddr); + if (addrstr == NULL) + return NULL; +--- a/src/rpcb_prot.c ++++ b/src/rpcb_prot.c +@@ -41,6 +41,7 @@ + #include <rpc/types.h> + #include <rpc/xdr.h> + #include <rpc/rpcb_prot.h> ++#include "rpc_com.h" + + bool_t + xdr_rpcb(xdrs, objp) +@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp) + if (!xdr_u_int32_t(xdrs, &objp->r_vers)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) { + return (FALSE); + } + return (TRUE); +@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp) + XDR *xdrs; + rpcb_entry *objp; + { +- if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) { + return (FALSE); + } + return (TRUE); +@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p) + bool_t dummy; + struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p; + +- if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_u_int(xdrs, &objp->results.results_len)) { +@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp) + if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) { + return (FALSE); + } ++ ++ if (objp->maxlen > RPC_MAXDATASIZE) { ++ return (FALSE); ++ } ++ + dummy = xdr_bytes(xdrs, (char **)&(objp->buf), + (u_int *)&(objp->len), objp->maxlen); + return (dummy); +--- a/src/rpcb_st_xdr.c ++++ b/src/rpcb_st_xdr.c +@@ -38,6 +38,7 @@ + #include <sys/cdefs.h> + + #include <rpc/rpc.h> ++#include "rpc_com.h" + + /* Link list of all the stats about getport and getaddr */ + +@@ -59,7 +60,7 @@ xdr_rpcbs_addrlist(xdrs, objp) + if (!xdr_int(xdrs, &objp->failure)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + +@@ -110,7 +111,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) + IXDR_PUT_INT32(buf, objp->failure); + IXDR_PUT_INT32(buf, objp->indirect); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_pointer(xdrs, (char **)&objp->next, +@@ -148,7 +149,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) + objp->failure = (int)IXDR_GET_INT32(buf); + objp->indirect = (int)IXDR_GET_INT32(buf); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_pointer(xdrs, (char **)&objp->next, +@@ -176,7 +177,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) + if (!xdr_int(xdrs, &objp->indirect)) { + return (FALSE); + } +- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { ++ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { + return (FALSE); + } + if (!xdr_pointer(xdrs, (char **)&objp->next, +--- a/src/xdr.c ++++ b/src/xdr.c +@@ -43,8 +43,10 @@ + #include <stdlib.h> + #include <string.h> + ++#include <rpc/rpc.h> + #include <rpc/types.h> + #include <rpc/xdr.h> ++#include <rpc/rpc_com.h> + + typedef quad_t longlong_t; /* ANSI long long type */ + typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */ +@@ -54,7 +56,6 @@ typedef u_quad_t u_longlong_t; + */ + #define XDR_FALSE ((long) 0) + #define XDR_TRUE ((long) 1) +-#define LASTUNSIGNED ((u_int) 0-1) + + /* + * for unit alignment +@@ -630,6 +631,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) + { + char *sp = *cpp; /* sp is the actual string pointer */ + u_int nodesize; ++ bool_t ret, allocated = FALSE; + + /* + * first deal with the length since xdr bytes are counted +@@ -653,6 +655,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) + } + if (sp == NULL) { + *cpp = sp = mem_alloc(nodesize); ++ allocated = TRUE; + } + if (sp == NULL) { + warnx("xdr_bytes: out of memory"); +@@ -661,7 +664,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) + /* FALLTHROUGH */ + + case XDR_ENCODE: +- return (xdr_opaque(xdrs, sp, nodesize)); ++ ret = xdr_opaque(xdrs, sp, nodesize); ++ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { ++ if (allocated == TRUE) { ++ free(sp); ++ *cpp = NULL; ++ } ++ } ++ return (ret); + + case XDR_FREE: + if (sp != NULL) { +@@ -755,6 +765,7 @@ xdr_string(xdrs, cpp, maxsize) + char *sp = *cpp; /* sp is the actual string pointer */ + u_int size; + u_int nodesize; ++ bool_t ret, allocated = FALSE; + + /* + * first deal with the length since xdr strings are counted-strings +@@ -794,8 +805,10 @@ xdr_string(xdrs, cpp, maxsize) + switch (xdrs->x_op) { + + case XDR_DECODE: +- if (sp == NULL) ++ if (sp == NULL) { + *cpp = sp = mem_alloc(nodesize); ++ allocated = TRUE; ++ } + if (sp == NULL) { + warnx("xdr_string: out of memory"); + return (FALSE); +@@ -804,7 +817,14 @@ xdr_string(xdrs, cpp, maxsize) + /* FALLTHROUGH */ + + case XDR_ENCODE: +- return (xdr_opaque(xdrs, sp, size)); ++ ret = xdr_opaque(xdrs, sp, size); ++ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { ++ if (allocated == TRUE) { ++ free(sp); ++ *cpp = NULL; ++ } ++ } ++ return (ret); + + case XDR_FREE: + mem_free(sp, nodesize); +@@ -824,7 +844,7 @@ xdr_wrapstring(xdrs, cpp) + XDR *xdrs; + char **cpp; + { +- return xdr_string(xdrs, cpp, LASTUNSIGNED); ++ return xdr_string(xdrs, cpp, RPC_MAXDATASIZE); + } + + /* diff -Nru libtirpc-0.2.5/debian/patches/series libtirpc-0.2.5/debian/patches/series --- libtirpc-0.2.5/debian/patches/series 2016-12-21 23:12:21.000000000 +0100 +++ libtirpc-0.2.5/debian/patches/series 2017-05-05 17:24:41.000000000 +0200 @@ -4,3 +4,4 @@ 06-hurd-client-port.diff 09-autogen.sh.diff 10-CVE-2016-4429.diff +11-CVE-2017-8779.diff
