Description: this allowed an attacker to easily disrupt a remote system through excessive memory consumption.
Writeup: https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/
Demonstration video: https://www.youtube.com/watch?v=b38H3oEgrQw (this video shows that the attack doesnโt necessarily just crashes the rpcbind process, but that the entire system can slow down severely because it has to resort to swap memory, even if overcommit is enabled. This implies scope=changed in the CVSS. But I filled out unchanged to be consistent with the official assessment)
CVSS score: https://nvd.nist.gov/vuln/detail/CVE-2017-8779
rpcbind/libtirpc: CVE-2017-8779 http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=dd9c7cf4f8f375c6d641b760d124650c418c2ce3 (patches by me)
GLIBC: CVE-2017-8804 https://sourceware.org/bugzilla/show_bug.cgi?id=21461