[oe] [meta-networking][kirkstone][PATCH 1/3] memcached: patch CVE-2023-46852

Wed, 04 Mar 2026 03:40:05 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46852

Backport the patch that is referenced by the NVD advisory.

The test extension was not backported, because the modified testcase
does not exist in the recipe version yet.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../memcached/memcached/CVE-2023-46852.patch  | 68 +++++++++++++++++++
 .../memcached/memcached_1.6.15.bb             |  1 +
 2 files changed, 69 insertions(+)
 create mode 100644 
meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch

diff --git 
a/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch 
b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch
new file mode 100644
index 0000000000..d0b5db23b7
--- /dev/null
+++ b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch
@@ -0,0 +1,68 @@
+From 3e7027caf6b1eb79d3d98a77e17051b120c30b9b Mon Sep 17 00:00:00 2001
+From: dormando <[email protected]>
+Date: Fri, 28 Jul 2023 10:32:16 -0700
+Subject: [PATCH] proxy: fix buffer overflow with multiget syntax
+
+"get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to
+process multiget syntax.
+
+To exploit this you must first pass the check in try_read_command_proxy:
+- The request before the first newline must be less than 1024 bytes.
+- If it is more than 1024 bytes there is a limit of 100 spaces.
+- The key length is still checked at 250 bytes
+- Meaning you have up to 772 spaces and then the key to create stack
+  corruption.
+
+So the amount of data you can shove in here isn't unlimited.
+
+The fix caps the amount of data pre-key to be reasonable. Something like
+GAT needs space for a 32bit TTL which is at most going to be 15 bytes +
+spaces, so we limit it to 20 bytes.
+
+I hate hate hate hate hate the multiget syntax. hate it.
+
+CVE: CVE-2023-46852
+Upstream-Status: Backport 
[https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ proto_proxy.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/proto_proxy.c b/proto_proxy.c
+index 6c028f4..94e38b6 100644
+--- a/proto_proxy.c
++++ b/proto_proxy.c
+@@ -613,6 +613,12 @@ int proxy_run_coroutine(lua_State *Lc, mc_resp *resp, 
io_pending_proxy_t *p, con
+     return 0;
+ }
+ 
++// basically any data before the first key.
++// max is like 15ish plus spaces. we can be more strict about how many spaces
++// to expect because any client spamming space is being deliberately stupid
++// anyway.
++#define MAX_CMD_PREFIX 20
++
+ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool 
multiget) {
+     assert(c != NULL);
+     LIBEVENT_THREAD *thr = c->thread;
+@@ -670,12 +676,18 @@ static void proxy_process_command(conn *c, char 
*command, size_t cmdlen, bool mu
+     if (!multiget && pr.cmd_type == CMD_TYPE_GET && pr.has_space) {
+         uint32_t keyoff = pr.tokens[pr.keytoken];
+         while (pr.klen != 0) {
+-            char temp[KEY_MAX_LENGTH + 30];
++            char temp[KEY_MAX_LENGTH + MAX_CMD_PREFIX + 30];
+             char *cur = temp;
+             // Core daemon can abort the entire command if one key is bad, but
+             // we cannot from the proxy. Instead we have to inject errors into
+             // the stream. This should, thankfully, be rare at least.
+-            if (pr.klen > KEY_MAX_LENGTH) {
++            if (pr.tokens[pr.keytoken] > MAX_CMD_PREFIX) {
++                if (!resp_start(c)) {
++                    conn_set_state(c, conn_closing);
++                    return;
++                }
++                proxy_out_errstring(c->resp, PROXY_CLIENT_ERROR, "malformed 
request");
++            } else if (pr.klen > KEY_MAX_LENGTH) {
+                 if (!resp_start(c)) {
+                     conn_set_state(c, conn_closing);
+                     return;
diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.15.bb 
b/meta-networking/recipes-support/memcached/memcached_1.6.15.bb
index 76e4768fb9..64065e8547 100644
--- a/meta-networking/recipes-support/memcached/memcached_1.6.15.bb
+++ b/meta-networking/recipes-support/memcached/memcached_1.6.15.bb
@@ -21,6 +21,7 @@ RDEPENDS:${PN} += "perl perl-module-posix 
perl-module-autoloader \
 
 SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \
            file://memcached-add-hugetlbfs-check.patch \
+           file://CVE-2023-46852.patch \
            "
 SRC_URI[sha256sum] = 
"8d7abe3d649378edbba16f42ef1d66ca3f2ac075f2eb97145ce164388e6ed515"
 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124845): 
https://lists.openembedded.org/g/openembedded-devel/message/124845
Mute This Topic: https://lists.openembedded.org/mt/118130546/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to