libtirpc security update

2013-05-30T20:28:52
ID CESA-2013:0884
Type centos
Reporter CentOS Project
Modified 2013-05-30T20:28:52

Description

CentOS Errata and Security Advisory CESA-2013:0884

These packages provide a transport-independent RPC (remote procedure call) implementation.

A flaw was found in the way libtirpc decoded RPC requests. A specially-crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950)

Red Hat would like to thank Michael Armstrong for reporting this issue.

Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2013-May/019768.html

Affected packages: libtirpc libtirpc-devel

Upstream details at: https://rhn.redhat.com/errata/RHSA-2013-0884.html