Launchpad.net

CVE 2017-8779

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

Related bugs and status

CVE-2017-8779 (Candidate) is related to these bugs:

Bug #1687930: remote denial-of-service

Summary				In	Importance	Status
	1687930	remote denial-of-service		rpcbind (Ubuntu)	Undecided	Confirmed

Bug #1843403: [MIR] nfs-ganesha, ntirpc

Summary				In	Importance	Status
	1843403	[MIR] nfs-ganesha, ntirpc		nfs-ganesha (Ubuntu)	High	Fix Released
	1843403	[MIR] nfs-ganesha, ntirpc		ntirpc (Ubuntu)	High	Fix Released

Bug #1925280: rpcbind still vulnerable with CVE-2017-8779

Summary				In	Importance	Status
	1925280	rpcbind still vulnerable with CVE-2017-8779		rpcbind (Ubuntu)	Undecided	Fix Released
	1925280	rpcbind still vulnerable with CVE-2017-8779		rpcbind (Ubuntu Bionic)	Undecided	Fix Released

Bug #1931507: rpcbind failing on 0.2.3-0.6ubuntu0.18.04.2

Summary				In	Importance	Status
	1931507	rpcbind failing on 0.2.3-0.6ubuntu0.18.04.2		rpcbind (Ubuntu)	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2017-8779

Related bugs and status

Related bugs

References