aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpsykose <alice@ayaya.dev>2022-08-05 10:15:28 +0000
committerpsykose <alice@ayaya.dev>2022-08-05 12:15:28 +0200
commit63c674ed7bba89b234e914fa432faf41c4817dea (patch)
tree63a83d8f8b5c5ce9687e80e67af654b0b6185d5b
parentfa67f5afbd0c993549e35ca41f7cf9d16863a878 (diff)
downloadaports-63c674ed7bba89b234e914fa432faf41c4817dea.tar.gz
aports-63c674ed7bba89b234e914fa432faf41c4817dea.tar.bz2
aports-63c674ed7bba89b234e914fa432faf41c4817dea.tar.xz
main/libtirpc: fix CVE-2021-46828
-rw-r--r--main/libtirpc/APKBUILD10
-rw-r--r--main/libtirpc/CVE-2021-46828.patch181
2 files changed, 189 insertions, 2 deletions
diff --git a/main/libtirpc/APKBUILD b/main/libtirpc/APKBUILD
index e45361f537..5b7a6f9dd6 100644
--- a/main/libtirpc/APKBUILD
+++ b/main/libtirpc/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libtirpc
pkgver=1.3.2
-pkgrel=0
+pkgrel=1
pkgdesc="Transport Independent RPC library (SunRPC replacement)"
url="https://sourceforge.net/projects/libtirpc"
arch="all"
@@ -11,17 +11,22 @@ depends="$pkgname-conf"
depends_dev="krb5-dev bsd-compat-headers"
makedepends="$depends_dev autoconf automake libtool linux-headers"
subpackages="
+ $pkgname-dbg
$pkgname-static
$pkgname-dev
$pkgname-doc
- $pkgname-dbg
$pkgname-conf::noarch
$pkgname-nokrb
"
source="https://sourceforge.net/projects/libtirpc/files/libtirpc/$pkgver/libtirpc-$pkgver.tar.bz2
soname-suffix.patch
+ CVE-2021-46828.patch
"
+# secfixes:
+# 1.3.2-r1:
+# - CVE-2021-46828
+
prepare() {
default_prepare
autoreconf -fi
@@ -66,4 +71,5 @@ nokrb() {
sha512sums="
8664d5c4f842ee5acf83b9c1cadb7871f17b8157a7c4500e2236dcfb3a25768cab39f7c5123758dcd7381e30eb028ddfa26a28f458283f2dcea3426c9878c255 libtirpc-1.3.2.tar.bz2
8bd50cab1e34a88f4f82ae722bdd60839212173a0ac6ceef21dee4dceea37a9fa2953b8a40068918b3c0d95b476111f0d7f19830efd3e4bff1ec5e72a5f9fade soname-suffix.patch
+6dd683c5c83772de71918c3f5e61500e7455bb55d68e4ea55592fc64bb3f42bfc5275f56e835aa61cd21a1a3a8e76d5c2ec68809c404839e5d04f6f86263566d CVE-2021-46828.patch
"
diff --git a/main/libtirpc/CVE-2021-46828.patch b/main/libtirpc/CVE-2021-46828.patch
new file mode 100644
index 0000000000..0021046381
--- /dev/null
+++ b/main/libtirpc/CVE-2021-46828.patch
@@ -0,0 +1,181 @@
+Patch-Source: https://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed
+garbage trimmed
+---
+From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001
+From: Dai Ngo <dai.ngo@oracle.com>
+Date: Sat, 21 Aug 2021 13:16:23 -0400
+Subject: [PATCH 1/1] Fix DoS vulnerability in libtirpc
+
+Currently svc_run does not handle poll timeout and rendezvous_request
+does not handle EMFILE error returned from accept(2 as it used to.
+These two missing functionality were removed by commit b2c9430f46c4.
+
+The effect of not handling poll timeout allows idle TCP conections
+to remain ESTABLISHED indefinitely. When the number of connections
+reaches the limit of the open file descriptors (ulimit -n) then
+accept(2) fails with EMFILE. Since there is no handling of EMFILE
+error this causes svc_run() to get in a tight loop calling accept(2).
+This resulting in the RPC service of svc_run is being down, it's
+no longer able to service any requests.
+
+RPC service rpcbind, statd and mountd are effected by this
+problem.
+
+Fix by enhancing rendezvous_request to keep the number of
+SVCXPRT conections to 4/5 of the size of the file descriptor
+table. When this thresold is reached, it destroys the idle
+TCP connections or destroys the least active connection if
+no idle connnction was found.
+
+Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc
+Signed-off-by: dai.ngo@oracle.com
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ INSTALL | 371 +----------------------------------------------------------
+ src/svc.c | 17 ++-
+ src/svc_vc.c | 62 +++++++++-
+ 3 files changed, 78 insertions(+), 372 deletions(-)
+ mode change 100644 => 120000 INSTALL
+
+diff --git a/src/svc.c b/src/svc.c
+index 6db164b..3a8709f 100644
+--- a/src/svc.c
++++ b/src/svc.c
+@@ -57,7 +57,7 @@
+
+ #define max(a, b) (a > b ? a : b)
+
+-static SVCXPRT **__svc_xports;
++SVCXPRT **__svc_xports;
+ int __svc_maxrec;
+
+ /*
+@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock)
+ rwlock_unlock (&svc_fd_lock);
+ }
+
++int
++svc_open_fds()
++{
++ int ix;
++ int nfds = 0;
++
++ rwlock_rdlock (&svc_fd_lock);
++ for (ix = 0; ix < svc_max_pollfd; ++ix) {
++ if (svc_pollfd[ix].fd != -1)
++ nfds++;
++ }
++ rwlock_unlock (&svc_fd_lock);
++ return (nfds);
++}
++
+ /*
+ * Add a service program to the callout list.
+ * The dispatch routine will be called when a rpc request for this
+diff --git a/src/svc_vc.c b/src/svc_vc.c
+index f1d9f00..3dc8a75 100644
+--- a/src/svc_vc.c
++++ b/src/svc_vc.c
+@@ -64,6 +64,8 @@
+
+
+ extern rwlock_t svc_fd_lock;
++extern SVCXPRT **__svc_xports;
++extern int svc_open_fds();
+
+ static SVCXPRT *makefd_xprt(int, u_int, u_int);
+ static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *);
+@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *);
+ static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in);
+ static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq,
+ void *in);
++static int __svc_destroy_idle(int timeout);
+
+ struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */
+ u_int sendsize;
+@@ -313,13 +316,14 @@ done:
+ return (xprt);
+ }
+
++
+ /*ARGSUSED*/
+ static bool_t
+ rendezvous_request(xprt, msg)
+ SVCXPRT *xprt;
+ struct rpc_msg *msg;
+ {
+- int sock, flags;
++ int sock, flags, nfds, cnt;
+ struct cf_rendezvous *r;
+ struct cf_conn *cd;
+ struct sockaddr_storage addr;
+@@ -379,6 +383,16 @@ again:
+
+ gettimeofday(&cd->last_recv_time, NULL);
+
++ nfds = svc_open_fds();
++ if (nfds >= (_rpc_dtablesize() / 5) * 4) {
++ /* destroy idle connections */
++ cnt = __svc_destroy_idle(15);
++ if (cnt == 0) {
++ /* destroy least active */
++ __svc_destroy_idle(0);
++ }
++ }
++
+ return (FALSE); /* there is never an rpc msg to be processed */
+ }
+
+@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock)
+ {
+ return FALSE;
+ }
++
++static int
++__svc_destroy_idle(int timeout)
++{
++ int i, ncleaned = 0;
++ SVCXPRT *xprt, *least_active;
++ struct timeval tv, tdiff, tmax;
++ struct cf_conn *cd;
++
++ gettimeofday(&tv, NULL);
++ tmax.tv_sec = tmax.tv_usec = 0;
++ least_active = NULL;
++ rwlock_wrlock(&svc_fd_lock);
++
++ for (i = 0; i <= svc_max_pollfd; i++) {
++ if (svc_pollfd[i].fd == -1)
++ continue;
++ xprt = __svc_xports[i];
++ if (xprt == NULL || xprt->xp_ops == NULL ||
++ xprt->xp_ops->xp_recv != svc_vc_recv)
++ continue;
++ cd = (struct cf_conn *)xprt->xp_p1;
++ if (!cd->nonblock)
++ continue;
++ if (timeout == 0) {
++ timersub(&tv, &cd->last_recv_time, &tdiff);
++ if (timercmp(&tdiff, &tmax, >)) {
++ tmax = tdiff;
++ least_active = xprt;
++ }
++ continue;
++ }
++ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) {
++ __xprt_unregister_unlocked(xprt);
++ __svc_vc_dodestroy(xprt);
++ ncleaned++;
++ }
++ }
++ if (timeout == 0 && least_active != NULL) {
++ __xprt_unregister_unlocked(least_active);
++ __svc_vc_dodestroy(least_active);
++ ncleaned++;
++ }
++ rwlock_unlock(&svc_fd_lock);
++ return (ncleaned);
++}
+--
+1.8.3.1
+