main/rpcbind: upgrade to 1.2.5

2026-01-16 22:22:12 +01:00 · 2019-03-21 23:13:18 +01:00 · 2019-03-21 23:13:18 +01:00 · bdaa9eb015
commit bdaa9eb015
parent 1996bb4083
5 changed files with 76 additions and 353 deletions
--- a/main/rpcbind/0001-rpcinfo-Fix-stack-buffer-overflow.patch
+++ b/main/rpcbind/0001-rpcinfo-Fix-stack-buffer-overflow.patch
@ -0,0 +1,69 @@
+From 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0 Mon Sep 17 00:00:00 2001
+From: Steve Dickson <steved@redhat.com>
+Date: Tue, 9 Oct 2018 09:19:50 -0400
+Subject: [PATCH] rpcinfo: Fix stack buffer overflow
+
+*** buffer overflow detected ***: rpcinfo terminated
+======= Backtrace: =========
+/lib64/libc.so.6(+0x721af)[0x7ff24c4451af]
+/lib64/libc.so.6(__fortify_fail+0x37)[0x7ff24c4ccdc7]
+/lib64/libc.so.6(+0xf8050)[0x7ff24c4cb050]
+rpcinfo(+0x435f)[0xef3be2635f]
+rpcinfo(+0x1c62)[0xef3be23c62]
+/lib64/libc.so.6(__libc_start_main+0xf5)[0x7ff24c3f36e5]
+rpcinfo(+0x2739)[0xef3be24739]
+======= Memory map: ========
+...
+The patch below fixes it.
+
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Thomas Blume <thomas.blume@suse.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/rpcinfo.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/src/rpcinfo.c b/src/rpcinfo.c
+index 9b46864..cfdba88 100644
+--- a/src/rpcinfo.c
+++ b/src/rpcinfo.c
+@@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv)
+ 	("   program version(s) netid(s)                         service     owner\n");
+       for (rs = rs_head; rs; rs = rs->next)
+ 	{
+	  size_t netidmax = sizeof(buf) - 1;
+ 	  char *p = buf;
+ 
+ 	  printf ("%10ld  ", rs->prog);
+@@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv)
+ 	    }
+ 	  printf ("%-10s", buf);
+ 	  buf[0] = '\0';
+-	  for (nl = rs->nlist; nl; nl = nl->next)
+-	    {
+-	      strcat (buf, nl->netid);
+-	      if (nl->next)
+-		strcat (buf, ",");
+-	    }
+
+          for (nl = rs->nlist; nl; nl = nl->next)
+            {
+              strncat (buf, nl->netid, netidmax);
+              if (strlen (nl->netid) < netidmax)
+                netidmax -= strlen(nl->netid);
+              else
+                break;
+
+              if (nl->next && netidmax > 1)
+                {
+                  strncat (buf, ",", netidmax);
+                  netidmax --;
+                }
+            }
+
+ 	  printf ("%-32s", buf);
+ 	  rpc = getrpcbynumber (rs->prog);
+ 	  if (rpc)
+-- 
+2.21.0
+
--- a/main/rpcbind/APKBUILD
+++ b/main/rpcbind/APKBUILD
@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=rpcbind
-pkgver=0.2.4
-pkgrel=1
+pkgver=1.2.5
+pkgrel=0
 pkgdesc="portmap replacement which supports RPC over various protocols"
 url="http://rpcbind.sourceforge.net"
 arch="all"
@ -10,11 +10,9 @@ license="BSD-3-Clause"
 depends=
 install="$pkgname.pre-install $pkgname.pre-upgrade"
 makedepends="libtirpc-dev autoconf automake bsd-compat-headers"
-subpackages="$pkgname-dbg $pkgname-doc"
+subpackages="$pkgname-dbg $pkgname-doc $pkgname-openrc"
 source="https://downloads.sourceforge.net/project/rpcbind/rpcbind/$pkgver/rpcbind-$pkgver.tar.bz2
-	CVE-2017-8779.patch
-	pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
-	rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
+	0001-rpcinfo-Fix-stack-buffer-overflow.patch
 	rpcbind.initd
 	rpcbind.confd
 	"
@ -39,6 +37,7 @@ build() {
 		--host=$CHOST \
 		--prefix=/usr \
 		--bindir=/sbin \
+		--sbindir=/sbin \
 		--enable-warmstarts \
 		--with-statedir=/var/lib/rpcbind \
 		--with-rpcuser=rpc \
@ -54,9 +53,7 @@ package() {
 	install -Dm644 "$srcdir"/rpcbind.confd "$pkgdir"/etc/conf.d/rpcbind
 	install -D -m644 COPYING "$pkgdir"/usr/share/licenses/rpcbind/COPYING
 }
-sha512sums="f3966a7284e94bdf120a9b3f0dd66efa1fe8761df2313545a031f77b7c06e27d7955d2780469943deb537d34f95c4cf3f30de523ec9fab9f571322d7224b210c  rpcbind-0.2.4.tar.bz2
-cc3b7d72299279f6c7e7ce0329d29a8bc0c44a9e99c241cbbe8f34eba71ca16da7e87683a66e36565422dde9a3b03be8d6e345264495c6e2070f97116da32244  CVE-2017-8779.patch
-1ecce48807b276381ff3199916e0b85880b948086e7891aa35df8a10f9188641253572c330e5fee35afa69c5ce3965ebead14fbe8ef20c49a4e9047345e63c5e  pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
-a0125bd24a533366d7fcaed68e6671df65e3e39a4b18be2265f987602944d358666edef954f8707d24453331f7e96341739e5346bc1b233380c618b34a4014e2  rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
+sha512sums="e884c4757950ccead0f9a07f50625a63e6f18f9bfae9fcfffa3e5fa4b7a66c3a99d9fa303061848fe8211509d5456f24ff26e4579af6e161a35522268f3ef3e4  rpcbind-1.2.5.tar.bz2
+84289e99b918fd138e6327a39481e74c80581746087d2e7e55d0c0bdbe068875b6136a6296c0d24a1be01d54b38a9d446794a3d08b53e7d884804a2b375519a2  0001-rpcinfo-Fix-stack-buffer-overflow.patch
 1cd655d86226a45fa3e927f8ac2bb580537644d2fb3684e0f4a956bf3721c95d95b8b8c1d9a2a742fb714eeba9277e0400a7493bf1bf676466d70adb2b35a88e  rpcbind.initd
 0641087162ebc8fb10c5cb329105261d77cad073daed3f9a6c92574177298cd8a19a87b62dde14161cc554b5e68680cfd870b5334f3cfd8d6074ec8a43f4dfe3  rpcbind.confd"
--- a/main/rpcbind/CVE-2017-8779.patch
+++ b/main/rpcbind/CVE-2017-8779.patch
@ -1,218 +0,0 @@
-From 7ea36eeece56b59f98e469934e4c20b4da043346 Mon Sep 17 00:00:00 2001
-From: Doran Moppert <dmoppert@redhat.com>
-Date: Thu, 11 May 2017 11:42:54 -0400
-Subject: [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to
- avoid memory leak
-
-This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed
-at [1], [2], [3].  The last link suggests this issue is actually a bug
-in rpcbind, which led me here.
-
-The leak caused by the reproducer at [4] appears to come from
-rpcb_service_4(), in the case where svc_getargs() returns false and the
-function had an early return, rather than passing through the cleanup
-path at done:, as would otherwise occur.
-
-It also addresses a couple of other locations where the same fault seems
-to exist, though I haven't been able to exercise those.  I hope someone
-more intimate with rpc(3) can confirm my understanding is correct, and
-that I haven't introduced any new bugs.
-
-Without this patch, using the reproducer (and variants) repeatedly
-against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof
-rpcbind)/status reports VmSize increase of 976564 kB each call, and
-VmRSS increase of around 260 kB every 33 calls - the specific numbers
-are probably an artifact of my rhel/glibc version.  With the patch,
-there is a small (~50 kB) VmSize increase with the first message, but
-thereafter both VmSize and VmRSS remain steady.
-
-[1]: http://seclists.org/oss-sec/2017/q2/209
-[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124
-[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html
-[4]: https://github.com/guidovranken/rpcbomb/
-
-Signed-off-by: Doran Moppert <dmoppert@redhat.com>
-Signed-off-by: Steve Dickson <steved@redhat.com>
---
- src/pmap_svc.c     | 56 +++++++++++++++++++++++++++++++++++++++++++++---------
- src/rpcb_svc.c     |  2 +-
- src/rpcb_svc_4.c   |  2 +-
- src/rpcb_svc_com.c |  8 ++++++++
- 4 files changed, 57 insertions(+), 11 deletions(-)
-
-diff --git a/src/pmap_svc.c b/src/pmap_svc.c
-index 4c744fe..e926cdc 100644
--- a/src/pmap_svc.c
-+++ b/src/pmap_svc.c
-@@ -175,6 +175,7 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
- 	long ans;
- 	uid_t uid;
- 	char uidbuf[32];
-+	int rc = TRUE;
- 
- 	/*
- 	 * Can't use getpwnam here. We might end up calling ourselves
-@@ -194,7 +195,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
- 
- 	if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
- 		svcerr_decode(xprt);
-		return (FALSE);
-+		rc = FALSE;
-+		goto done;
- 	}
- #ifdef RPCBIND_DEBUG
- 	if (debugging)
-@@ -205,7 +207,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
- 
- 	if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) {
- 		svcerr_weakauth(xprt);
-		return (FALSE);
-+		rc = (FALSE);
-+		goto done;
- 	}
- 
- 	rpcbreg.r_prog = reg.pm_prog;
-@@ -258,7 +261,16 @@ done_change:
- 		rpcbs_set(RPCBVERS_2_STAT, ans);
- 	else
- 		rpcbs_unset(RPCBVERS_2_STAT, ans);
-	return (TRUE);
-+done:
-+	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
-+		if (debugging) {
-+			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
-+			if (doabort) {
-+				rpcbind_abort();
-+			}
-+		}
-+	}
-+	return (rc);
- }
- 
- /* ARGSUSED */
-@@ -272,15 +284,18 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
- #ifdef RPCBIND_DEBUG
- 	char *uaddr;
- #endif
-+	int rc = TRUE;
- 
- 	if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
- 		svcerr_decode(xprt);
-		return (FALSE);
-+		rc = FALSE;
-+		goto done;
- 	}
- 
- 	if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) {
- 		svcerr_weakauth(xprt);
-		return FALSE;
-+		rc = FALSE;
-+		goto done;
- 	}
- 
- #ifdef RPCBIND_DEBUG
-@@ -330,21 +345,34 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
- 		pmap_ipprot2netid(reg.pm_prot) ?: "<unknown>",
- 		port ? udptrans : "");
- 
-	return (TRUE);
-+done:
-+	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
-+		if (debugging) {
-+			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
-+			if (doabort) {
-+				rpcbind_abort();
-+			}
-+		}
-+	}
-+	return (rc);
- }
- 
- /* ARGSUSED */
- static bool_t
- pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
- {
-+	int rc = TRUE;
-+
- 	if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) {
- 		svcerr_decode(xprt);
-		return (FALSE);
-+		rc = FALSE;
-+		goto done;
- 	}
- 
- 	if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) {
- 		svcerr_weakauth(xprt);
-		return FALSE;
-+		rc = FALSE;
-+		goto done;
- 	}
- 	
- 	if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr,
-@@ -354,7 +382,17 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
- 			rpcbind_abort();
- 		}
- 	}
-	return (TRUE);
-+
-+done:
-+	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
-+		if (debugging) {
-+			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
-+			if (doabort) {
-+				rpcbind_abort();
-+			}
-+		}
-+	}
-+	return (rc);
- }
- 
- int pmap_netid2ipprot(const char *netid)
-diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c
-index 709e3fb..091f530 100644
--- a/src/rpcb_svc.c
-+++ b/src/rpcb_svc.c
-@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp)
- 		svcerr_decode(transp);
- 		if (debugging)
- 			(void) xlog(LOG_DEBUG, "rpcbind: could not decode");
-		return;
-+		goto done;
- 	}
- 
- 	if (rqstp->rq_proc == RPCBPROC_SET
-diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c
-index 5094879..eebbbbe 100644
--- a/src/rpcb_svc_4.c
-+++ b/src/rpcb_svc_4.c
-@@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp)
- 		svcerr_decode(transp);
- 		if (debugging)
- 			(void) xlog(LOG_DEBUG, "rpcbind: could not decode\n");
-		return;
-+		goto done;
- 	}
- 
- 	if (rqstp->rq_proc == RPCBPROC_SET
-diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
-index 5862c26..cb63afd 100644
--- a/src/rpcb_svc_com.c
-+++ b/src/rpcb_svc_com.c
-@@ -927,6 +927,14 @@ error:
- 	if (call_msg.rm_xid != 0)
- 		(void) free_slot_by_xid(call_msg.rm_xid);
- out:
-+	if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
-+		if (debugging) {
-+			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
-+			if (doabort) {
-+				rpcbind_abort();
-+			}
-+		}
-+	}
- 	if (local_uaddr)
- 		free(local_uaddr);
- 	if (buf_alloc)
-- 
-1.8.3.1
-
--- a/main/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
+++ b/main/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
@ -1,29 +0,0 @@
-From c49a7ea639eb700823e174fd605bbbe183e229aa Mon Sep 17 00:00:00 2001
-From: Steve Dickson <steved@redhat.com>
-Date: Wed, 17 May 2017 10:52:25 -0400
-Subject: [PATCH] pmapproc_dump: Fixed typo in memory leak patch
-
-commit 7ea36eee introduce a typo that caused
-NIS (aka ypbind) to fail.
-
-Signed-off-by: Steve Dickson <steved@redhat.com>
---
- src/pmap_svc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/pmap_svc.c b/src/pmap_svc.c
-index e926cdc..26c31d0 100644
--- a/src/pmap_svc.c
-+++ b/src/pmap_svc.c
-@@ -384,7 +384,7 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
- 	}
- 
- done:
-	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
-+	if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) {
- 		if (debugging) {
- 			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
- 			if (doabort) {
-- 
-1.8.3.1
-
--- a/main/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
+++ b/main/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
@ -1,96 +0,0 @@
-From 7c7590ad536c0e24bef790cb1e65702fc54db566 Mon Sep 17 00:00:00 2001
-From: Steve Dickson <steved@redhat.com>
-Date: Tue, 30 May 2017 11:27:22 -0400
-Subject: [PATCH] rpcbproc_callit_com: Stop freeing a static pointer
-
-commit 7ea36ee introduced a svc_freeargs() call
-that ended up freeing static pointer.
-
-It turns out the allocations for the rmt_args
-is not necessary . The xdr routines (xdr_bytes) will
-handle the memory management and the largest
-possible message size is UDPMSGSIZE (due to UDP only)
-which is smaller than RPC_BUF_MAX
-
-Signed-off-by: Steve Dickson <steved@redhat.com>
---
- src/rpcb_svc_com.c | 39 ++++++---------------------------------
- 1 file changed, 6 insertions(+), 33 deletions(-)
-
-diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
-index cb63afd..1fc2229 100644
--- a/src/rpcb_svc_com.c
-+++ b/src/rpcb_svc_com.c
-@@ -612,9 +612,9 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
- 	struct netconfig *nconf;
- 	struct netbuf *caller;
- 	struct r_rmtcall_args a;
-	char *buf_alloc = NULL, *outbufp;
-+	char *outbufp;
- 	char *outbuf_alloc = NULL;
-	char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX];
-+	char  outbuf[RPC_BUF_MAX];
- 	struct netbuf *na = (struct netbuf *) NULL;
- 	struct rpc_msg call_msg;
- 	int outlen;
-@@ -635,36 +635,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
- 	}
- 	if (si.si_socktype != SOCK_DGRAM)
- 		return;	/* Only datagram type accepted */
-	sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE);
-	if (sendsz == 0) {	/* data transfer not supported */
-		if (reply_type == RPCBPROC_INDIRECT)
-			svcerr_systemerr(transp);
-		return;
-	}
-	/*
-	 * Should be multiple of 4 for XDR.
-	 */
-	sendsz = ((sendsz + 3) / 4) * 4;
-	if (sendsz > RPC_BUF_MAX) {
-#ifdef	notyet
-		buf_alloc = alloca(sendsz);		/* not in IDR2? */
-#else
-		buf_alloc = malloc(sendsz);
-#endif	/* notyet */
-		if (buf_alloc == NULL) {
-			if (debugging)
-				xlog(LOG_DEBUG,
-					"rpcbproc_callit_com:  No Memory!\n");
-			if (reply_type == RPCBPROC_INDIRECT)
-				svcerr_systemerr(transp);
-			return;
-		}
-		a.rmt_args.args = buf_alloc;
-	} else {
-		a.rmt_args.args = buf;
-	}
-+	sendsz = UDPMSGSIZE;
- 
- 	call_msg.rm_xid = 0;	/* For error checking purposes */
-+	memset(&a, 0, sizeof(a)); /* Zero out the input buffer */
- 	if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
- 		if (reply_type == RPCBPROC_INDIRECT)
- 			svcerr_decode(transp);
-@@ -704,7 +678,8 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
- 	if (rbl == (rpcblist_ptr)NULL) {
- #ifdef RPCBIND_DEBUG
- 		if (debugging)
-			xlog(LOG_DEBUG, "not found\n");
-+			xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n", 
-+				a.rmt_prog, a.rmt_vers);
- #endif
- 		if (reply_type == RPCBPROC_INDIRECT)
- 			svcerr_noprog(transp);
-@@ -937,8 +912,6 @@ out:
- 	}
- 	if (local_uaddr)
- 		free(local_uaddr);
-	if (buf_alloc)
-		free(buf_alloc);
- 	if (outbuf_alloc)
- 		free(outbuf_alloc);
- 	if (na) {
-- 
-1.8.3.1
-