Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, The attached patch fix CVE-2017-9951 which has been not fixed via a DSA, as discussed with Salvatore Bonaccorso: https://bugs.debian.org/868701. - -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-87-generic (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=fr_FR (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- iQJDBAEBCAAtFiEEiG7UsIsv14Zirt0ImYZRi5qqoKUFAlmnEx4PHGd1aUBpcm9x d2Eub3JnAAoJEJmGUYuaqqClC0UP/RYavmsYLSsLfTibnVeHUZfMx5AKLkspXjyi o9tATubFWcE7wU5eykjXxlArA4yISTTuC5Fq4Tl0tw/SWGUYCb6fK6qR/9nxSHhW 6cL+h1ywG473wSPbtuNxLIxKJuGVJEpi+arDMeTPnYG3Qy/aKfvFplxFOJ32A72T BKrN9E/EqthIHIBz1R482X5ktM1iZldvWOKkmw9ca+nVcHnVBDF7JGKtAxYBQwxz e4ZpiBNttnAapsdrSjsqM1lC6IuCpxJHCqtZvh9FI86JWtNmjO7xpN62YliorMEm jYoggCrmL8n+RL1YbPwjCpoAHFHgG5qPBKnVRvULb0+A9mY6OI52rg/f7bnaz7Cv NdOxJNYSaOJq1oVZOiDyrxSdgbBgSxKmDeorpSutTG1FRBKjmknQNy5Fbrn3NSXi esYBzg5KGxlUyNVkTC46qkBv/SOn7z6c0p94G+2OYybhwcB9QQqC+PmKI/OeJKaE stEAmgf0wZ2vR5kVqjmV7TtnSNeHWCPzV4WbXPk5ge4kCvDmr+HGnUKnlrX9Id16 Dw0o7TtI+zuoq30fwZQyPQSgI0gThJ11rj08x1josFKIiJqg0LjGE02mNv+CAUl3 +hh2HQ0km93ZhX26c/8S1aV+mZxwgNeYRTomjTcs7PbxLkO8aR+DU7Vu6y/4kXxe kO2I4bX4 =AryN -----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog index 92bce48..c86b8f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +memcached (1.4.33-1+deb9u1) stretch; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2017-9951 by checking the integer length of commands that adds or + replaces key/value pair + + -- Guillaume Delacour <g...@iroqwa.org> Tue, 25 Jul 2017 00:38:52 +0200 + memcached (1.4.33-1) unstable; urgency=medium * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 diff --git a/debian/patches/09_CVE-2017-9951.patch b/debian/patches/09_CVE-2017-9951.patch new file mode 100644 index 0000000..694ba42 --- /dev/null +++ b/debian/patches/09_CVE-2017-9951.patch @@ -0,0 +1,36 @@ +From: dormando <dorma...@rydia.net> +Date: Tue, 4 Jul 2017 00:32:39 -0700 +Subject: [PATCH] sanity check (CVE-2017-9951) +Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 + +--- + items.c | 2 ++ + memcached.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/items.c b/items.c +index 637e5e745..83a2ea37d 100644 +--- a/items.c ++++ b/items.c +@@ -368,6 +368,8 @@ void item_free(item *it) { + bool item_size_ok(const size_t nkey, const int flags, const int nbytes) { + char prefix[40]; + uint8_t nsuffix; ++ if (nbytes < 2) ++ return false; + + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, + prefix, &nsuffix); +diff --git a/memcached.c b/memcached.c +index 0f0335795..a89df965d 100644 +--- a/memcached.c ++++ b/memcached.c +@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) { + + case conn_swallow: + /* we are reading sbytes and throwing them away */ +- if (c->sbytes == 0) { ++ if (c->sbytes <= 0) { + conn_set_state(c, conn_new_cmd); + break; + } diff --git a/debian/patches/series b/debian/patches/series index 8cedcba..af0b55e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 01_init_script_additions.patch 04_add_init_retry.patch 07_disable_tests.patch +09_CVE-2017-9951.patch
