From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <fweimer@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTPS id 205D3385842F
 for <libc-alpha@sourceware.org>; Fri, 14 Jan 2022 08:23:54 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 205D3385842F
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-607-W9g08rzmPgS7sPfKlZazSA-1; Fri, 14 Jan 2022 03:23:50 -0500
X-MC-Unique: W9g08rzmPgS7sPfKlZazSA-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D15391083F62
 for <libc-alpha@sourceware.org>; Fri, 14 Jan 2022 08:23:49 +0000 (UTC)
Received: from oldenburg.str.redhat.com (unknown [10.39.192.49])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 351B01F300
 for <libc-alpha@sourceware.org>; Fri, 14 Jan 2022 08:23:49 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: libc-alpha@sourceware.org
Subject: [PATCH v2 0/4] CVE-2022-23218, CVE-2022-23219: sunrpc buffer overflows
X-From-Line: 4e87feed87235e9143778454147e04469a1e7380 Mon Sep 17 00:00:00 2001
Message-Id: <cover.1642148513.git.fweimer@redhat.com>
Date: Fri, 14 Jan 2022 09:23:47 +0100
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain
X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2022 08:23:55 -0000

The first one was reported by Martin Sebor in 2017, but we didn't fix
it.  Grepping for sun_path I found another similar one.

v2: Add CVE IDs.

Thanks,
Florian

Florian Weimer (3):
  socket: Add the __sockaddr_un_set function
  CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug
    22542)
  CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)

Martin Sebor (1):
  sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)

 NEWS                         |  7 +++-
 include/sys/un.h             | 12 +++++++
 socket/Makefile              |  6 +++-
 socket/sockaddr_un_set.c     | 41 ++++++++++++++++++++++++
 socket/tst-sockaddr_un_set.c | 62 ++++++++++++++++++++++++++++++++++++
 sunrpc/Makefile              |  5 ++-
 sunrpc/clnt_gen.c            | 10 ++++--
 sunrpc/svc_unix.c            | 11 +++----
 sunrpc/tst-bug22542.c        | 44 +++++++++++++++++++++++++
 sunrpc/tst-bug28768.c        | 42 ++++++++++++++++++++++++
 10 files changed, 227 insertions(+), 13 deletions(-)
 create mode 100644 socket/sockaddr_un_set.c
 create mode 100644 socket/tst-sockaddr_un_set.c
 create mode 100644 sunrpc/tst-bug22542.c
 create mode 100644 sunrpc/tst-bug28768.c


base-commit: a78e6a10d0b50d0ca80309775980fc99944b1727
-- 
2.34.1