(RHSA-2013:0884) Moderate: libtirpc security update

2013-05-30T04:00:00
ID RHSA-2013:0884
Type redhat
Reporter RedHat
Modified 2018-06-06T20:24:18

Description

These packages provide a transport-independent RPC (remote procedure call) implementation.

A flaw was found in the way libtirpc decoded RPC requests. A specially-crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950)

Red Hat would like to thank Michael Armstrong for reporting this issue.

Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect.