main/libtirpc: fix CVE-2013-1950

fixes #2034
author: Natanael Copa <ncopa@alpinelinux.org> 2013-06-03 13:41:48 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-06-03 13:41:48 +0000
commit: 473d40bbb88f98d74f074adb5a1a05e5c168aac2 (patch)
tree: 7c9ab4b707cd15c07e72796b361efc5ad817142a
parent: b2d7566437b898c68bec55b901e110c89f34e6dd (diff)
download: alpine_aports-473d40bbb88f98d74f074adb5a1a05e5c168aac2.tar.bz2
alpine_aports-473d40bbb88f98d74f074adb5a1a05e5c168aac2.tar.xz
alpine_aports-473d40bbb88f98d74f074adb5a1a05e5c168aac2.zip
2 files changed, 47 insertions, 5 deletions
diff --git a/main/libtirpc/APKBUILD b/main/libtirpc/APKBUILD
index 029d7d33de..5feacaa564 100644
--- a/main/libtirpc/APKBUILD
+++ b/main/libtirpc/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libtirpc
 pkgver=0.2.3
-pkgrel=0
+pkgrel=1
 pkgdesc="Transport Independent RPC library (SunRPC replacement)"
 url="http://libtirpc.sourceforge.net/"
 arch="all"
@@ -14,7 +14,9 @@ source="http://downloads.sourceforge.net/sourceforge/$pkgname/$pkgname-$pkgver.t
        nis.h
        gssglue.patch
        libtirpc-no-des.patch
-        automake.patch"
+        automake.patch
+        CVE-2013-1950.patch
+        "
 prepare() {
        cd "$srcdir"/$pkgname-$pkgver
@@ -52,14 +54,17 @@ md5sums="b70e6c12a369a91e69fcc3b9feb23d61  libtirpc-0.2.3.tar.bz2
 082dff1bc78bdcbac6d305c1534fe3c0  nis.h
 7c50e2381f103cc9b84a86fad9b8eac5  gssglue.patch
 80e8f54aab0f5bed37e58ad79fe4ff2b  libtirpc-no-des.patch
-5cac96c765922f33de61a215aa264a7f  automake.patch"
+5cac96c765922f33de61a215aa264a7f  automake.patch
+ee3685a9c3168c0585580023ed01b43b  CVE-2013-1950.patch"
 sha256sums="4f29ea0491b4ca4c29f95f3c34191b857757873bbbf4b069f9dd4da01a6a923c  libtirpc-0.2.3.tar.bz2
 7149d53da167168cbad9e75cbab302768f659e59e208763b1bf5df2a6ff3bfdb  nis.h
 02658756777563dccb3904a00e87fa562eddeab0fe15ef0c6c21893b2d8619aa  gssglue.patch
 5b7c8f6d19f17541902dfd1b1132f2b07e4cc0987152d4e8007243e776d4d47f  libtirpc-no-des.patch
-6188b7236b1f9088ad09749eed6407bd7b75fe37d1569a19977f44d15ec6a10c  automake.patch"
+6188b7236b1f9088ad09749eed6407bd7b75fe37d1569a19977f44d15ec6a10c  automake.patch
+76024a88dc30c7486cad46834eee8f4682fd29a4b18f7b8763cad8c1b415dfe6  CVE-2013-1950.patch"
 sha512sums="dd480fcb6feda4a2bba7e5a5dc9b1f523697a39ddaa44a5742405f66d202996d99a562a31dbf6daf06e9b7ce5d82dfd1cce7b76a34466b92f84176e77498163d  libtirpc-0.2.3.tar.bz2
 15edac1e30cc1aa65ca495bae14c6c7455d65ca539b7e5c865c3fbd5a51c76966b37dd34e9a6483aadcaea3602aefb0b48cdb46f877dae1c65dfa6840dfd8c54  nis.h
 3dd3d4a082b1b9bb82c358a5b74e6c5f23fdd522ea2875fc27a7b1035e04b14aeec30db08aa3ce5c0168df325e540799bf6f55c3a67226e05cf52de11968ad86  gssglue.patch
 9a984a7741deb943f92cd8a9f23d1a0e09a01e91aa88268456ccbb7998b24f50ad431e26400def3a8ba9d6cd345e5abccf5acf9c59708ce8f0653275c2ea5d61  libtirpc-no-des.patch
-dcbc55ed5551703799e6a690e65dbdbd9cc0293c0392a1a3c2d52bc9e91e8b0e18b89fa146f78fea8476c04409b766b6cdbde38a5f226d32043987ca1471634c  automake.patch"
+dcbc55ed5551703799e6a690e65dbdbd9cc0293c0392a1a3c2d52bc9e91e8b0e18b89fa146f78fea8476c04409b766b6cdbde38a5f226d32043987ca1471634c  automake.patch
+43813e1d2b8cf3107c3144f742c8de6833dd2462b43c94f6d8444b90eb6671f2fe1329f533eee1e7ce1cd507d3c5962a47793e1354107da18340faf34d2b1644  CVE-2013-1950.patch"
diff --git a/main/libtirpc/CVE-2013-1950.patch b/main/libtirpc/CVE-2013-1950.patch
new file mode 100644
index 0000000000..e61be9e265
--- /dev/null
+++ b/main/libtirpc/CVE-2013-1950.patch
@@ -0,0 +1,37 @@
+From a9f437119d79a438cb12e510f3cadd4060102c9f Mon Sep 17 00:00:00 2001
+From: Steve Dickson <steved@redhat.com>
+Date: Thu, 18 Apr 2013 14:29:58 -0400
+Subject: [PATCH] svc_getargs(): Should not be freeing arg pointers on failures
+commit 82cc2e61 (SVCAUTH_WRAP/SVCAUTH_UNWRAP) introduce a regression
+that causes callers of svc_getargs() to crash when svc_freeargs() frees
+args points that are allocated on the stack.
+svc_getargs() should let the callers do the freeing and not make any
+assumptions on the type of memory passed in.
+Also see:
+    https://bugzilla.redhat.com/show_bug.cgi?id=948378
+and
+    CVE-2013-1950 EMBARGOED rpcbind: invalid pointer free leads to crash
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/svc_dg.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/src/svc_dg.c b/src/svc_dg.c
+index b1ac462..6e00191 100644
+--- a/src/svc_dg.c
+++ b/src/svc_dg.c
+@@ -284,7 +284,6 @@ svc_dg_getargs(xprt, xdr_args, args_ptr)
+ {
+        if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs),
+                             xdr_args, args_ptr)) {
+-               (void)svc_freeargs(xprt, xdr_args, args_ptr);
+                return FALSE;
+        }
+        return TRUE;
+-- 
+1.8.1.4
author	Natanael Copa <ncopa@alpinelinux.org>	2013-06-03 13:41:48 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-06-03 13:41:48 +0000
commit	473d40bbb88f98d74f074adb5a1a05e5c168aac2 (patch)
tree	7c9ab4b707cd15c07e72796b361efc5ad817142a
parent	b2d7566437b898c68bec55b901e110c89f34e6dd (diff)
download	alpine_aports-473d40bbb88f98d74f074adb5a1a05e5c168aac2.tar.bz2 alpine_aports-473d40bbb88f98d74f074adb5a1a05e5c168aac2.tar.xz alpine_aports-473d40bbb88f98d74f074adb5a1a05e5c168aac2.zip

diff --git a/main/libtirpc/APKBUILD b/main/libtirpc/APKBUILD index 029d7d33de..5feacaa564 100644 --- a/main/libtirpc/APKBUILD +++ b/main/libtirpc/APKBUILD
@@ -1,7 +1,7 @@
1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>	1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
2	pkgname=libtirpc	2	pkgname=libtirpc
3	pkgver=0.2.3	3	pkgver=0.2.3
4	pkgrel=0	4	pkgrel=1
5	pkgdesc="Transport Independent RPC library (SunRPC replacement)"	5	pkgdesc="Transport Independent RPC library (SunRPC replacement)"
6	url="http://libtirpc.sourceforge.net/"	6	url="http://libtirpc.sourceforge.net/"
7	arch="all"	7	arch="all"
@@ -14,7 +14,9 @@ source="http://downloads.sourceforge.net/sourceforge/$pkgname/$pkgname-$pkgver.t
14	nis.h	14	nis.h
15	gssglue.patch	15	gssglue.patch
16	libtirpc-no-des.patch	16	libtirpc-no-des.patch
17	automake.patch"	17	automake.patch
		18	CVE-2013-1950.patch
		19	"
18		20
19	prepare() {	21	prepare() {
20	cd "$srcdir"/$pkgname-$pkgver	22	cd "$srcdir"/$pkgname-$pkgver
@@ -52,14 +54,17 @@ md5sums="b70e6c12a369a91e69fcc3b9feb23d61 libtirpc-0.2.3.tar.bz2
52	082dff1bc78bdcbac6d305c1534fe3c0 nis.h	54	082dff1bc78bdcbac6d305c1534fe3c0 nis.h
53	7c50e2381f103cc9b84a86fad9b8eac5 gssglue.patch	55	7c50e2381f103cc9b84a86fad9b8eac5 gssglue.patch
54	80e8f54aab0f5bed37e58ad79fe4ff2b libtirpc-no-des.patch	56	80e8f54aab0f5bed37e58ad79fe4ff2b libtirpc-no-des.patch
55	5cac96c765922f33de61a215aa264a7f automake.patch"	57	5cac96c765922f33de61a215aa264a7f automake.patch
		58	ee3685a9c3168c0585580023ed01b43b CVE-2013-1950.patch"
56	sha256sums="4f29ea0491b4ca4c29f95f3c34191b857757873bbbf4b069f9dd4da01a6a923c libtirpc-0.2.3.tar.bz2	59	sha256sums="4f29ea0491b4ca4c29f95f3c34191b857757873bbbf4b069f9dd4da01a6a923c libtirpc-0.2.3.tar.bz2
57	7149d53da167168cbad9e75cbab302768f659e59e208763b1bf5df2a6ff3bfdb nis.h	60	7149d53da167168cbad9e75cbab302768f659e59e208763b1bf5df2a6ff3bfdb nis.h
58	02658756777563dccb3904a00e87fa562eddeab0fe15ef0c6c21893b2d8619aa gssglue.patch	61	02658756777563dccb3904a00e87fa562eddeab0fe15ef0c6c21893b2d8619aa gssglue.patch
59	5b7c8f6d19f17541902dfd1b1132f2b07e4cc0987152d4e8007243e776d4d47f libtirpc-no-des.patch	62	5b7c8f6d19f17541902dfd1b1132f2b07e4cc0987152d4e8007243e776d4d47f libtirpc-no-des.patch
60	6188b7236b1f9088ad09749eed6407bd7b75fe37d1569a19977f44d15ec6a10c automake.patch"	63	6188b7236b1f9088ad09749eed6407bd7b75fe37d1569a19977f44d15ec6a10c automake.patch
		64	76024a88dc30c7486cad46834eee8f4682fd29a4b18f7b8763cad8c1b415dfe6 CVE-2013-1950.patch"
61	sha512sums="dd480fcb6feda4a2bba7e5a5dc9b1f523697a39ddaa44a5742405f66d202996d99a562a31dbf6daf06e9b7ce5d82dfd1cce7b76a34466b92f84176e77498163d libtirpc-0.2.3.tar.bz2	65	sha512sums="dd480fcb6feda4a2bba7e5a5dc9b1f523697a39ddaa44a5742405f66d202996d99a562a31dbf6daf06e9b7ce5d82dfd1cce7b76a34466b92f84176e77498163d libtirpc-0.2.3.tar.bz2
62	15edac1e30cc1aa65ca495bae14c6c7455d65ca539b7e5c865c3fbd5a51c76966b37dd34e9a6483aadcaea3602aefb0b48cdb46f877dae1c65dfa6840dfd8c54 nis.h	66	15edac1e30cc1aa65ca495bae14c6c7455d65ca539b7e5c865c3fbd5a51c76966b37dd34e9a6483aadcaea3602aefb0b48cdb46f877dae1c65dfa6840dfd8c54 nis.h
63	3dd3d4a082b1b9bb82c358a5b74e6c5f23fdd522ea2875fc27a7b1035e04b14aeec30db08aa3ce5c0168df325e540799bf6f55c3a67226e05cf52de11968ad86 gssglue.patch	67	3dd3d4a082b1b9bb82c358a5b74e6c5f23fdd522ea2875fc27a7b1035e04b14aeec30db08aa3ce5c0168df325e540799bf6f55c3a67226e05cf52de11968ad86 gssglue.patch
64	9a984a7741deb943f92cd8a9f23d1a0e09a01e91aa88268456ccbb7998b24f50ad431e26400def3a8ba9d6cd345e5abccf5acf9c59708ce8f0653275c2ea5d61 libtirpc-no-des.patch	68	9a984a7741deb943f92cd8a9f23d1a0e09a01e91aa88268456ccbb7998b24f50ad431e26400def3a8ba9d6cd345e5abccf5acf9c59708ce8f0653275c2ea5d61 libtirpc-no-des.patch
65	dcbc55ed5551703799e6a690e65dbdbd9cc0293c0392a1a3c2d52bc9e91e8b0e18b89fa146f78fea8476c04409b766b6cdbde38a5f226d32043987ca1471634c automake.patch"	69	dcbc55ed5551703799e6a690e65dbdbd9cc0293c0392a1a3c2d52bc9e91e8b0e18b89fa146f78fea8476c04409b766b6cdbde38a5f226d32043987ca1471634c automake.patch
		70	43813e1d2b8cf3107c3144f742c8de6833dd2462b43c94f6d8444b90eb6671f2fe1329f533eee1e7ce1cd507d3c5962a47793e1354107da18340faf34d2b1644 CVE-2013-1950.patch"


diff --git a/main/libtirpc/CVE-2013-1950.patch b/main/libtirpc/CVE-2013-1950.patch new file mode 100644 index 0000000000..e61be9e265 --- /dev/null +++ b/main/libtirpc/CVE-2013-1950.patch
@@ -0,0 +1,37 @@
		1	From a9f437119d79a438cb12e510f3cadd4060102c9f Mon Sep 17 00:00:00 2001
		2	From: Steve Dickson <steved@redhat.com>
		3	Date: Thu, 18 Apr 2013 14:29:58 -0400
		4	Subject: [PATCH] svc_getargs(): Should not be freeing arg pointers on failures
		5
		6	commit 82cc2e61 (SVCAUTH_WRAP/SVCAUTH_UNWRAP) introduce a regression
		7	that causes callers of svc_getargs() to crash when svc_freeargs() frees
		8	args points that are allocated on the stack.
		9
		10	svc_getargs() should let the callers do the freeing and not make any
		11	assumptions on the type of memory passed in.
		12
		13	Also see:
		14	https://bugzilla.redhat.com/show_bug.cgi?id=948378
		15	and
		16	CVE-2013-1950 EMBARGOED rpcbind: invalid pointer free leads to crash
		17
		18	Signed-off-by: Steve Dickson <steved@redhat.com>
		19	---
		20	src/svc_dg.c \| 1 -
		21	1 file changed, 1 deletion(-)
		22
		23	diff --git a/src/svc_dg.c b/src/svc_dg.c
		24	index b1ac462..6e00191 100644
		25	--- a/src/svc_dg.c
		26	+++ b/src/svc_dg.c
		27	@@ -284,7 +284,6 @@ svc_dg_getargs(xprt, xdr_args, args_ptr)
		28	{
		29	if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs),
		30	xdr_args, args_ptr)) {
		31	- (void)svc_freeargs(xprt, xdr_args, args_ptr);
		32	return FALSE;
		33	}
		34	return TRUE;
		35	--
		36	1.8.1.4
		37