libtirpc security update

ID CESA-2013:0884
Type centos
Reporter CentOS Project
Modified 2013-05-30T20:28:52


CentOS Errata and Security Advisory CESA-2013:0884

These packages provide a transport-independent RPC (remote procedure call) implementation.

A flaw was found in the way libtirpc decoded RPC requests. A specially-crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950)

Red Hat would like to thank Michael Armstrong for reporting this issue.

Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect.

Merged security bulletin from advisories:

Affected packages: libtirpc libtirpc-devel

Upstream details at: