CVE-2013-1950
First published: Thu Apr 04 2013(Updated: )
The Nessus plugin for Sun RPC XDR xdrmem_getbytes Function Remote Overflow [1] causes rpcbind to crash due to freeing an invalid pointer. *** glibc detected *** /sbin/rpcbind: free(): invalid pointer: 0xbf7f494c *** poll returned read fds < 6 > ======= Backtrace: ========= /lib/libc.so.6(-0xff84c1cf)[0x240e31] /lib/libtirpc.so.1(xdr_bytes+0x9f)[0xb3ca9f] /sbin/rpcbind(+0x5714)[0x631714] /lib/libtirpc.so.1(+0x14ea4)[0xb36ea4] /lib/libtirpc.so.1(+0x14e6e)[0xb36e6e] /sbin/rpcbind(+0x591e)[0x63191e] /sbin/rpcbind(pmap_service+0x174)[0x6344e4] /lib/libtirpc.so.1(svc_getreq_common+0x2ae)[0xb3600e] /lib/libtirpc.so.1(svc_getreq_poll+0x8f)[0xb360bf] /sbin/rpcbind(+0x509b)[0x63109b] /sbin/rpcbind(main+0x4dc)[0x62fd3c] /lib/libc.so.6(__libc_start_main+0xe6)[0x1e6ce6] /sbin/rpcbind(+0x21c1)[0x62e1c1] ======= Memory map: ======== 001d0000-00360000 r-xp 00000000 08:03 131950 /lib/libc-2.12.so 00360000-00361000 ---p 00190000 08:03 131950 /lib/libc-2.12.so 00361000-00363000 r--p 00190000 08:03 131950 /lib/libc-2.12.so 00363000-00364000 rw-p 00192000 08:03 131950 /lib/libc-2.12.so 00364000-00367000 rw-p 00000000 00:00 0 0056e000-00585000 r-xp 00000000 08:03 137050 /lib/libnsl-2.12.so 00585000-00586000 r--p 00016000 08:03 137050 /lib/libnsl-2.12.so 00586000-00587000 rw-p 00017000 08:03 137050 /lib/libnsl-2.12.so 00587000-00589000 rw-p 00000000 00:00 0 0062c000-00639000 r-xp 00000000 08:03 394181 /sbin/rpcbind 00639000-0063a000 rw-p 0000d000 08:03 394181 /sbin/rpcbind 00688000-00690000 r-xp 00000000 08:03 137055 /lib/libwrap.so.0.7.6 00690000-00691000 r--p 00007000 08:03 137055 /lib/libwrap.so.0.7.6 00691000-00692000 rw-p 00008000 08:03 137055 /lib/libwrap.so.0.7.6 0076f000-00786000 r-xp 00000000 08:03 131977 /lib/libpthread-2.12.so 00786000-00787000 r--p 00016000 08:03 131977 /lib/libpthread-2.12.so 00787000-00788000 rw-p 00017000 08:03 131977 /lib/libpthread-2.12.so 00788000-0078a000 rw-p 00000000 00:00 0 008bb000-008bc000 r-xp 00000000 00:00 0 [vdso] 008ef000-008fb000 r-xp 00000000 08:03 137169 /lib/libnss_files-2.12.so 008fb000-008fc000 r--p 0000b000 08:03 137169 /lib/libnss_files-2.12.so 008fc000-008fd000 rw-p 0000c000 08:03 137169 /lib/libnss_files-2.12.so 0099f000-009bd000 r-xp 00000000 08:03 131584 /lib/ld-2.12.so 009bd000-009be000 r--p 0001d000 08:03 131584 /lib/ld-2.12.so 009be000-009bf000 rw-p 0001e000 08:03 131584 /lib/ld-2.12.so 009d6000-009de000 r-xp 00000000 08:03 136753 /lib/libgssglue.so.1.0.0 009de000-009df000 rw-p 00007000 08:03 136753 /lib/libgssglue.so.1.0.0 00ad9000-00af6000 r-xp 00000000 08:03 136736 /lib/libgcc_s-4.4.7-20120601.so.1 00af6000-00af7000 rw-p 0001d000 08:03 136736 /lib/libgcc_s-4.4.7-20120601.so.1 00b22000-00b48000 r-xp 00000000 08:03 131852 /lib/libtirpc.so.1.0.10 00b48000-00b49000 rw-p 00026000 08:03 131852 /lib/libtirpc.so.1.0.10 00e35000-00e38000 r-xp 00000000 08:03 132420 /lib/libdl-2.12.so 00e38000-00e39000 r--p 00002000 08:03 132420 /lib/libdl-2.12.so 00e39000-00e3a000 rw-p 00003000 08:03 132420 /lib/libdl-2.12.so 014aa000-014cb000 rw-p 00000000 00:00 0 [heap] b770f000-b7712000 rw-p 00000000 00:00 0 b772d000-b7730000 rw-p 00000000 00:00 0 bf7e3000-bf808000 rw-p 00000000 00:00 0 [stack] rpcbind debugging enabled. This is not the same flaw as <a href="https://access.redhat.com/security/cve/CVE-2003-0028">CVE-2003-0028</a> (what the plugin was written for). The above observed on a Red Hat Enterprise Linux 6 host. [1] <a href="http://www.tenable.com/plugins/index.php?view=single&id=11420">http://www.tenable.com/plugins/index.php?view=single&id=11420</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Libtirpc Project Libtirpc | <=0.2.3 | |
| Libtirpc Project Libtirpc | =0.1.8 | |
| Libtirpc Project Libtirpc | =0.1.9 | |
| Libtirpc Project Libtirpc | =0.1.10 | |
| Libtirpc Project Libtirpc | =0.1.11 | |
| Libtirpc Project Libtirpc | =0.2.0 | |
| Libtirpc Project Libtirpc | =0.2.1 | |
| Libtirpc Project Libtirpc | =0.2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2003-0028
- http://www.tenable.com/plugins/index.php?view=single&id=11420
- http://git.infradead.org/users/steved/libtirpc.git/commitdiff/a9f437119d79a438cb12e510f3cadd4060102c9f
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=955211
- https://rhn.redhat.com/errata/RHSA-2013-0884.html
- https://bugzilla.redhat.com/show_bug.cgi?id=948378
- http://rhn.redhat.com/errata/RHSA-2013-0884.html
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/author
- agent/weakness
- agent/tags
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-1950
- vendor/libtirpc project
- canonical/libtirpc project libtirpc
- version/libtirpc project libtirpc/0.2.3
- version/libtirpc project libtirpc/0.1.8
- version/libtirpc project libtirpc/0.1.9
- version/libtirpc project libtirpc/0.1.10
- version/libtirpc project libtirpc/0.1.11
- version/libtirpc project libtirpc/0.2.0
- version/libtirpc project libtirpc/0.2.1
- version/libtirpc project libtirpc/0.2.2