Security Advisory Important: rpcbind security update

Advisory: RHSA-2017:1262-2
Type: Security Advisory
Severity: Important
Issued on: 2017-05-22
Last updated on: 2017-06-16
Affected Products: Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server TUS (v. 7.3)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2017-8779

Details

An update for rpcbind is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

[Updated 16 June 2017]
The packages distributed with this errata have a bug that can cause the rpcbind
utility to terminate unexpectedly at start. RHBA-2017:1436 was released on 13
June 2017 to address this issue.

The rpcbind utility is a server that converts Remote Procedure Call (RPC)
program numbers into universal addresses. It must be running on the host to be
able to make RPC calls on a server on that machine.

Security Fix(es):

* It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory
leak can occur when parsing specially crafted XDR messages. An attacker sending
thousands of messages to rpcbind could cause its memory usage to grow without
bound, eventually causing it to be terminated by the OOM killer. (CVE-2017-8779)


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
rpcbind-0.2.0-38.el7_3.src.rpm
File outdated by:  RHBA-2017:1436
    MD5: 4717b1e6b79a0076066ff8083421278b
SHA-256: a6c46f8069296fa8d3dd5a5750bd99b3ea5553e69dbf4387d4933cc952a39f3f
 
x86_64:
rpcbind-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: 568309187c9af3a60a7434e175534aa4
SHA-256: c0f31ab15a6cbff4accab287f9c68c144db765c49da87a0f31e7b5835fdc2dde
rpcbind-debuginfo-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: eb5e6b6b9e8980842439ca060a59c673
SHA-256: 952b8e2bbf1a371e76f979086669438613d18765fb2393e2a28a583a3548b1b6
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
rpcbind-0.2.0-38.el7_3.src.rpm
File outdated by:  RHBA-2017:1436
    MD5: 4717b1e6b79a0076066ff8083421278b
SHA-256: a6c46f8069296fa8d3dd5a5750bd99b3ea5553e69dbf4387d4933cc952a39f3f
 
x86_64:
rpcbind-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: 568309187c9af3a60a7434e175534aa4
SHA-256: c0f31ab15a6cbff4accab287f9c68c144db765c49da87a0f31e7b5835fdc2dde
rpcbind-debuginfo-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: eb5e6b6b9e8980842439ca060a59c673
SHA-256: 952b8e2bbf1a371e76f979086669438613d18765fb2393e2a28a583a3548b1b6
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
rpcbind-0.2.0-38.el7_3.src.rpm
File outdated by:  RHBA-2017:1436
    MD5: 4717b1e6b79a0076066ff8083421278b
SHA-256: a6c46f8069296fa8d3dd5a5750bd99b3ea5553e69dbf4387d4933cc952a39f3f
 
PPC:
rpcbind-0.2.0-38.el7_3.ppc64.rpm
File outdated by:  RHBA-2017:1436
    MD5: 1a91e73b30ed8d4ca7914e7b395d95a8
SHA-256: ece5b1de8f3779cb80957fdcfeb670cc3d5b7823a95c3b51ecec2cc5bed1e620
rpcbind-debuginfo-0.2.0-38.el7_3.ppc64.rpm
File outdated by:  RHBA-2017:1436
    MD5: a6f1ad52577751998f62c2af2be1bcbd
SHA-256: 833219e765eecff621a96ce9cb695957aff996547cebf30e956babdcebd286fc
 
PPC64LE:
rpcbind-0.2.0-38.el7_3.ppc64le.rpm
File outdated by:  RHBA-2017:1436
    MD5: cf55b8a1a9080e09cba3c7f4ca82ef76
SHA-256: 88394dd4130eaf1c1cac9b08628bcbec7506097127ee245d5a834e70fffa91cb
rpcbind-debuginfo-0.2.0-38.el7_3.ppc64le.rpm
File outdated by:  RHBA-2017:1436
    MD5: 811f145521b03449cfc3246178714b8d
SHA-256: 349f828c07c48070fade201ac4184d60fa76b1625d42e6679b58cdc303ade5c4
 
s390x:
rpcbind-0.2.0-38.el7_3.s390x.rpm
File outdated by:  RHBA-2017:1436
    MD5: af7f6307f3f6986cf6f41435bf480e91
SHA-256: 0aa523448a9761ced890851bc5845d5c165136d136a329f01efe9295921928d5
rpcbind-debuginfo-0.2.0-38.el7_3.s390x.rpm
File outdated by:  RHBA-2017:1436
    MD5: 6ec6be4934773dd426b7e6ee22889d3e
SHA-256: 85d78e5f04e863f4d9e2cbb05179bfce47f5c908dc1a6746f232ae46f79e9e9f
 
x86_64:
rpcbind-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: 568309187c9af3a60a7434e175534aa4
SHA-256: c0f31ab15a6cbff4accab287f9c68c144db765c49da87a0f31e7b5835fdc2dde
rpcbind-debuginfo-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: eb5e6b6b9e8980842439ca060a59c673
SHA-256: 952b8e2bbf1a371e76f979086669438613d18765fb2393e2a28a583a3548b1b6
 
Red Hat Enterprise Linux Server TUS (v. 7.3)

SRPMS:
rpcbind-0.2.0-38.el7_3.src.rpm
File outdated by:  RHBA-2017:1436
    MD5: 4717b1e6b79a0076066ff8083421278b
SHA-256: a6c46f8069296fa8d3dd5a5750bd99b3ea5553e69dbf4387d4933cc952a39f3f
 
x86_64:
rpcbind-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: 568309187c9af3a60a7434e175534aa4
SHA-256: c0f31ab15a6cbff4accab287f9c68c144db765c49da87a0f31e7b5835fdc2dde
rpcbind-debuginfo-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: eb5e6b6b9e8980842439ca060a59c673
SHA-256: 952b8e2bbf1a371e76f979086669438613d18765fb2393e2a28a583a3548b1b6
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
rpcbind-0.2.0-38.el7_3.src.rpm
File outdated by:  RHBA-2017:1436
    MD5: 4717b1e6b79a0076066ff8083421278b
SHA-256: a6c46f8069296fa8d3dd5a5750bd99b3ea5553e69dbf4387d4933cc952a39f3f
 
x86_64:
rpcbind-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: 568309187c9af3a60a7434e175534aa4
SHA-256: c0f31ab15a6cbff4accab287f9c68c144db765c49da87a0f31e7b5835fdc2dde
rpcbind-debuginfo-0.2.0-38.el7_3.x86_64.rpm
File outdated by:  RHBA-2017:1436
    MD5: eb5e6b6b9e8980842439ca060a59c673
SHA-256: 952b8e2bbf1a371e76f979086669438613d18765fb2393e2a28a583a3548b1b6
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1448124 - CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/