GLSA-200710-01 : RPCSEC_GSS library: Buffer overflow
Critical Nessus Plugin ID 26941
Synopsis
The remote Gentoo host is missing one or more security-related patches.
Description
The remote host is affected by the vulnerability described in GLSA-200710-01 (RPCSEC_GSS library: Buffer overflow)
A stack based buffer overflow has been discovered in the svcauth_gss_validate() function in file lib/rpc/svc_auth_gss.c when processing an overly long string in a RPC message.
Impact :
A remote attacker could send a specially crafted RPC request to an application relying on this library, e.g NFSv4 or Kerberos (GLSA-200709-01), resulting in the execution of arbitrary code with the privileges of the user running the application.
Workaround :
There is no known workaround at this time.
Solution
All librpcsecgss users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=net-libs/librpcsecgss-0.16'