Bugzilla – Bug 1201680
VUL-0: CVE-2021-46828: libtirpc: DoS vulnerability with lots of connections
Last modified: 2022-11-30 13:01:05 UTC
n libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections. libtirpc - before 1.3.3rc1 http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed
Lance, there is a testpackage for SLE15 at: https://build.suse.de/package/show/home:tsaupe:branches:SUSE:SLE-15:Update:libtirpc-bsc1201518/libtirpc Could you please pass it to the customer and ask for feedback?
SUSE:SLE-12-SP2:Update/libtirpc SUSE:SLE-11-SP1:Update/libtirpc also should get fixed I would say
Hi, what is the best way for me to try to download the test rpms?
(In reply to Marcus Meissner from comment #4) > SUSE:SLE-12-SP2:Update/libtirpc submission prepared > SUSE:SLE-11-SP1:Update/libtirpc libtirpc-0.2.1 in SUSE:SLE-11-SP1:Update has a very similar function (__svc_clean_idle) that was removed later by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=blobdiff;f=src/svc_vc.c;h=4bafbcf11a958e76d8ff47082ce36ca788e6fe16;hp=3cddcbceebaef9122aca51bb7b27a3f72b5ae16e;hb=b2c9430f46c4ac848957fb8adaac176a3f6ac03f;hpb=1c77f7a869bdea2a34799d774460d1f9983d45f0 So, it seems the patch is not needed there. > also should get fixed I would say Can you confirm?
(In reply to Thomas Blume from comment #8) > (In reply to Marcus Meissner from comment #4) > > also should get fixed I would say > > Can you confirm? All versions we ship look vulnerable to this issue, so I am afraid we need the patch in all of the old versions.
This is an autogenerated message for OBS integration: This bug (1201680) was mentioned in https://build.opensuse.org/request/show/998199 Factory / libtirpc
(In reply to Robert Frohl from comment #12) > (In reply to Thomas Blume from comment #8) > > (In reply to Marcus Meissner from comment #4) > > > also should get fixed I would say > > > > Can you confirm? > > All versions we ship look vulnerable to this issue, so I am afraid we need > the patch in all of the old versions. Hm, the patch description tells: --> > Currently svc_run does not handle poll timeout and rendezvous_request > does not handle EMFILE error returned from accept(2 as it used to. > These two missing functionality were removed by commit b2c9430f46c4. --< So, it is re-adding a functionality that was present before commit b2c9430f46c4. The libtirpc version in SLE-11-SP1:Update is before this commit. So, I think the vulnerability is not present in SLE-11-SP1:Update. Adding the patch on top of the already present function would introduce a duplicate functionality. I'm afraid about side effects. Could you give instruction how to test SLE-11-SP1:Update for this vulnerability?
SUSE-SU-2022:2991-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1198752,1200800,1201680 CVE References: CVE-2021-46828 JIRA References: Sources used: SUSE Manager Server 4.1 (src): libtirpc-1.0.2-150000.3.18.1 SUSE Manager Retail Branch Server 4.1 (src): libtirpc-1.0.2-150000.3.18.1 SUSE Manager Proxy 4.1 (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise Server for SAP 15 (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise Server 15-LTSS (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): libtirpc-1.0.2-150000.3.18.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): libtirpc-1.0.2-150000.3.18.1 SUSE Enterprise Storage 7 (src): libtirpc-1.0.2-150000.3.18.1 SUSE Enterprise Storage 6 (src): libtirpc-1.0.2-150000.3.18.1 SUSE CaaS Platform 4.0 (src): libtirpc-1.0.2-150000.3.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3305-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1201680 CVE References: CVE-2021-46828 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): libtirpc-1.2.6-150300.3.14.1 openSUSE Leap 15.4 (src): libtirpc-1.2.6-150300.3.14.1 openSUSE Leap 15.3 (src): libtirpc-1.2.6-150300.3.14.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): libtirpc-1.2.6-150300.3.14.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): libtirpc-1.2.6-150300.3.14.1 SUSE Linux Enterprise Micro 5.2 (src): libtirpc-1.2.6-150300.3.14.1 SUSE Linux Enterprise Micro 5.1 (src): libtirpc-1.2.6-150300.3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Thomas Blume from comment #16) > So, it is re-adding a functionality that was present before commit > b2c9430f46c4. > The libtirpc version in SLE-11-SP1:Update is before this commit. > So, I think the vulnerability is not present in SLE-11-SP1:Update. > > Adding the patch on top of the already present function would introduce a > duplicate functionality. > I'm afraid about side effects. > > Could you give instruction how to test SLE-11-SP1:Update for this > vulnerability? I agree that this does not affect SLE-11-SP1. Updated tracking.
SUSE-SU-2022:3791-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1200800,1201680 CVE References: CVE-2021-46828 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): libtirpc-1.0.1-17.24.1 SUSE OpenStack Cloud 9 (src): libtirpc-1.0.1-17.24.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libtirpc-1.0.1-17.24.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): libtirpc-1.0.1-17.24.1 SUSE Linux Enterprise Server 12-SP5 (src): libtirpc-1.0.1-17.24.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): libtirpc-1.0.1-17.24.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): libtirpc-1.0.1-17.24.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): libtirpc-1.0.1-17.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All updates released, reassigning to security-team to wrap it up.
The SLE11 SP1 code has __svc_clean_idle , there the strategy is to wait for 30 seconds until cleaning up the filedescriptors. While it is not exactly the same fix, it triggers unconditionally and will clean up things after a while making progress. (The upper patch is using a 15 second timeout.)