StarlingX

Debian CVE-2021-46828: libtirpc: lead to an svc_run infinite loop

Bug #1994109 reported by Yue Tao on 2022-10-25

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Zhixiong Chi

Bug Description

CVE-2021-46828: [https://nvd.nist.gov/vuln/detail/CVE-2021-46828]
In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2021-46828 fixed 7.5 N L N N H

References:
https://security-tracker.debian.org/tracker/DSA-5200-1

['libtirpc-common_1.3.1-1_all.deb===>libtirpc-common_1.3.1-1+deb11u1_all.deb', 'libtirpc-dev_1.3.1-1_amd64.deb===>libtirpc-dev_1.3.1-1+deb11u1_amd64.deb', 'libtirpc3_1.3.1-1_amd64.deb===>libtirpc3_1.3.1-1+deb11u1_amd64.deb']

Found during August 2022 CVE scan using vulscan

See original description

Tags:

CVE References

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2022-10-27:

screening: stx.8.0 / medium - CVE meets the stx fix criteria

information type:	Public → Public Security
Changed in starlingx:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: stx.8.0 stx.security
Changed in starlingx:
assignee:	nobody → Yue Tao (wrytao)

Zhixiong Chi (zhixiongchi) on 2022-11-09

Changed in starlingx:
assignee:	Yue Tao (wrytao) → Zhixiong Chi (zhixiongchi)
status:	Triaged → In Progress

Zhixiong Chi (zhixiongchi) on 2022-11-09

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-09: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/864099

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-09: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/864099
Committed: https://opendev.org/starlingx/tools/commit/c3a19ce35fecd52d94944cdd0201f5167bf4eb85
Submitter: "Zuul (22348)"
Branch: master

commit c3a19ce35fecd52d94944cdd0201f5167bf4eb85
Author: Zhixiong Chi <email address hidden>
Date: Wed Nov 9 11:08:40 2022 +0800

Debian: libtirpc: fix CVE-2022-46828

    Upgrade libtirpc-common to 1.3.1-1+deb11u1
    Upgrade libtirpc3 to 1.3.1-1+deb11u1
    Upgrade libtirpc-dev to 1.3.1-1+deb11u1

Refer to:
https://security-tracker.debian.org/tracker/DSA-5200-1

    Test Plan:
    Pass: build-pkgs -c -a
    Pass: build-image

Closes-Bug: 1994109

Signed-off-by: Zhixiong Chi <email address hidden>
Change-Id: I91bd29c4bc3a1a43cc93bc4559e70b72a87bd090

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.