@@ -0,0 +1,554 @@
+commit 86529758570cef4c73fb9b9c4104fdc510f701ed
+Author: Dai Ngo <dai.ngo@oracle.com>
+Date: Sat Aug 21 13:16:23 2021 -0400
+
+ Fix DoS vulnerability in libtirpc
+
+ Currently svc_run does not handle poll timeout and rendezvous_request
+ does not handle EMFILE error returned from accept(2 as it used to.
+ These two missing functionality were removed by commit b2c9430f46c4.
+
+ The effect of not handling poll timeout allows idle TCP conections
+ to remain ESTABLISHED indefinitely. When the number of connections
+ reaches the limit of the open file descriptors (ulimit -n) then
+ accept(2) fails with EMFILE. Since there is no handling of EMFILE
+ error this causes svc_run() to get in a tight loop calling accept(2).
+ This resulting in the RPC service of svc_run is being down, it's
+ no longer able to service any requests.
+
+ RPC service rpcbind, statd and mountd are effected by this
+ problem.
+
+ Fix by enhancing rendezvous_request to keep the number of
+ SVCXPRT conections to 4/5 of the size of the file descriptor
+ table. When this thresold is reached, it destroys the idle
+ TCP connections or destroys the least active connection if
+ no idle connnction was found.
+
+ Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc
+ Signed-off-by: dai.ngo@oracle.com
+ Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/INSTALL b/INSTALL
+deleted file mode 100644
+index 2099840..0000000
+--- a/INSTALL
++++ /dev/null
+@@ -1,370 +0,0 @@
+-Installation Instructions
+-*************************
+-
+-Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
+-Inc.
+-
+- Copying and distribution of this file, with or without modification,
+-are permitted in any medium without royalty provided the copyright
+-notice and this notice are preserved. This file is offered as-is,
+-without warranty of any kind.
+-
+-Basic Installation
+-==================
+-
+- Briefly, the shell command `./configure && make && make install'
+-should configure, build, and install this package. The following
+-more-detailed instructions are generic; see the `README' file for
+-instructions specific to this package. Some packages provide this
+-`INSTALL' file but do not implement all of the features documented
+-below. The lack of an optional feature in a given package is not
+-necessarily a bug. More recommendations for GNU packages can be found
+-in *note Makefile Conventions: (standards)Makefile Conventions.
+-
+- The `configure' shell script attempts to guess correct values for
+-various system-dependent variables used during compilation. It uses
+-those values to create a `Makefile' in each directory of the package.
+-It may also create one or more `.h' files containing system-dependent
+-definitions. Finally, it creates a shell script `config.status' that
+-you can run in the future to recreate the current configuration, and a
+-file `config.log' containing compiler output (useful mainly for
+-debugging `configure').
+-
+- It can also use an optional file (typically called `config.cache'
+-and enabled with `--cache-file=config.cache' or simply `-C') that saves
+-the results of its tests to speed up reconfiguring. Caching is
+-disabled by default to prevent problems with accidental use of stale
+-cache files.
+-
+- If you need to do unusual things to compile the package, please try
+-to figure out how `configure' could check whether to do them, and mail
+-diffs or instructions to the address given in the `README' so they can
+-be considered for the next release. If you are using the cache, and at
+-some point `config.cache' contains results you don't want to keep, you
+-may remove or edit it.
+-
+- The file `configure.ac' (or `configure.in') is used to create
+-`configure' by a program called `autoconf'. You need `configure.ac' if
+-you want to change it or regenerate `configure' using a newer version
+-of `autoconf'.
+-
+- The simplest way to compile this package is:
+-
+- 1. `cd' to the directory containing the package's source code and type
+- `./configure' to configure the package for your system.
+-
+- Running `configure' might take a while. While running, it prints
+- some messages telling which features it is checking for.
+-
+- 2. Type `make' to compile the package.
+-
+- 3. Optionally, type `make check' to run any self-tests that come with
+- the package, generally using the just-built uninstalled binaries.
+-
+- 4. Type `make install' to install the programs and any data files and
+- documentation. When installing into a prefix owned by root, it is
+- recommended that the package be configured and built as a regular
+- user, and only the `make install' phase executed with root
+- privileges.
+-
+- 5. Optionally, type `make installcheck' to repeat any self-tests, but
+- this time using the binaries in their final installed location.
+- This target does not install anything. Running this target as a
+- regular user, particularly if the prior `make install' required
+- root privileges, verifies that the installation completed
+- correctly.
+-
+- 6. You can remove the program binaries and object files from the
+- source code directory by typing `make clean'. To also remove the
+- files that `configure' created (so you can compile the package for
+- a different kind of computer), type `make distclean'. There is
+- also a `make maintainer-clean' target, but that is intended mainly
+- for the package's developers. If you use it, you may have to get
+- all sorts of other programs in order to regenerate files that came
+- with the distribution.
+-
+- 7. Often, you can also type `make uninstall' to remove the installed
+- files again. In practice, not all packages have tested that
+- uninstallation works correctly, even though it is required by the
+- GNU Coding Standards.
+-
+- 8. Some packages, particularly those that use Automake, provide `make
+- distcheck', which can by used by developers to test that all other
+- targets like `make install' and `make uninstall' work correctly.
+- This target is generally not run by end users.
+-
+-Compilers and Options
+-=====================
+-
+- Some systems require unusual options for compilation or linking that
+-the `configure' script does not know about. Run `./configure --help'
+-for details on some of the pertinent environment variables.
+-
+- You can give `configure' initial values for configuration parameters
+-by setting variables in the command line or in the environment. Here
+-is an example:
+-
+- ./configure CC=c99 CFLAGS=-g LIBS=-lposix
+-
+- *Note Defining Variables::, for more details.
+-
+-Compiling For Multiple Architectures
+-====================================
+-
+- You can compile the package for more than one kind of computer at the
+-same time, by placing the object files for each architecture in their
+-own directory. To do this, you can use GNU `make'. `cd' to the
+-directory where you want the object files and executables to go and run
+-the `configure' script. `configure' automatically checks for the
+-source code in the directory that `configure' is in and in `..'. This
+-is known as a "VPATH" build.
+-
+- With a non-GNU `make', it is safer to compile the package for one
+-architecture at a time in the source code directory. After you have
+-installed the package for one architecture, use `make distclean' before
+-reconfiguring for another architecture.
+-
+- On MacOS X 10.5 and later systems, you can create libraries and
+-executables that work on multiple system types--known as "fat" or
+-"universal" binaries--by specifying multiple `-arch' options to the
+-compiler but only a single `-arch' option to the preprocessor. Like
+-this:
+-
+- ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
+- CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
+- CPP="gcc -E" CXXCPP="g++ -E"
+-
+- This is not guaranteed to produce working output in all cases, you
+-may have to build one architecture at a time and combine the results
+-using the `lipo' tool if you have problems.
+-
+-Installation Names
+-==================
+-
+- By default, `make install' installs the package's commands under
+-`/usr/local/bin', include files under `/usr/local/include', etc. You
+-can specify an installation prefix other than `/usr/local' by giving
+-`configure' the option `--prefix=PREFIX', where PREFIX must be an
+-absolute file name.
+-
+- You can specify separate installation prefixes for
+-architecture-specific files and architecture-independent files. If you
+-pass the option `--exec-prefix=PREFIX' to `configure', the package uses
+-PREFIX as the prefix for installing programs and libraries.
+-Documentation and other data files still use the regular prefix.
+-
+- In addition, if you use an unusual directory layout you can give
+-options like `--bindir=DIR' to specify different values for particular
+-kinds of files. Run `configure --help' for a list of the directories
+-you can set and what kinds of files go in them. In general, the
+-default for these options is expressed in terms of `${prefix}', so that
+-specifying just `--prefix' will affect all of the other directory
+-specifications that were not explicitly provided.
|