4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.171 Low
EPSS
Percentile
96.1%
CentOS Errata and Security Advisory CESA-2013:0884
These packages provide a transport-independent RPC (remote procedure call)
implementation.
A flaw was found in the way libtirpc decoded RPC requests. A
specially-crafted RPC request could cause libtirpc to attempt to free a
buffer provided by an application using the library, even when the buffer
was not dynamically allocated. This could cause an application using
libtirpc, such as rpcbind, to crash. (CVE-2013-1950)
Red Hat would like to thank Michael Armstrong for reporting this issue.
Users of libtirpc should upgrade to these updated packages, which contain a
backported patch to correct this issue. All running applications using
libtirpc must be restarted for the update to take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2013-May/081930.html
Affected packages:
libtirpc
libtirpc-devel
Upstream details at:
https://access.redhat.com/errata/RHSA-2013:0884
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 6 | i686 | libtirpc | < 0.2.1-6.el6_4 | libtirpc-0.2.1-6.el6_4.i686.rpm |
CentOS | 6 | i686 | libtirpc-devel | < 0.2.1-6.el6_4 | libtirpc-devel-0.2.1-6.el6_4.i686.rpm |
CentOS | 6 | i686 | libtirpc | < 0.2.1-6.el6_4 | libtirpc-0.2.1-6.el6_4.i686.rpm |
CentOS | 6 | x86_64 | libtirpc | < 0.2.1-6.el6_4 | libtirpc-0.2.1-6.el6_4.x86_64.rpm |
CentOS | 6 | i686 | libtirpc-devel | < 0.2.1-6.el6_4 | libtirpc-devel-0.2.1-6.el6_4.i686.rpm |
CentOS | 6 | x86_64 | libtirpc-devel | < 0.2.1-6.el6_4 | libtirpc-devel-0.2.1-6.el6_4.x86_64.rpm |