Hello community, here is the log from the commit of package memcached for openSUSE:Leap:15.2 checked in at 2020-05-26 18:32:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/memcached (Old) and /work/SRC/openSUSE:Leap:15.2/.memcached.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "memcached" Tue May 26 18:32:40 2020 rev:27 rq:808400 version:1.5.6 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/memcached/memcached.changes 2020-01-15 15:29:13.894704301 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.memcached.new.2738/memcached.changes 2020-05-26 18:32:53.349642476 +0200 @@ -1,0 +2,19 @@ +Tue Sep 3 12:33:46 UTC 2019 - [email protected] + +- security update +- run the testsuite +- added patches + CVE-2019-15026 [bsc#1149110] + + memcached-CVE-2019-15026.patch + new version of the test (from 1.5.17) + + memcached-lru-maintainer.t.patch + +------------------------------------------------------------------- +Thu May 2 10:29:04 UTC 2019 - [email protected] + +- security update +- added patches + CVE-2019-11596 [bsc#1133817] + + memcached-CVE-2019-11596.patch + +------------------------------------------------------------------- New: ---- memcached-CVE-2019-11596.patch memcached-CVE-2019-15026.patch memcached-lru-maintainer.t.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ memcached.spec ++++++ --- /var/tmp/diff_new_pack.9IUrHM/_old 2020-05-26 18:32:53.817643499 +0200 +++ /var/tmp/diff_new_pack.9IUrHM/_new 2020-05-26 18:32:53.821643507 +0200 @@ -36,6 +36,12 @@ Patch0: memcached-1.4.5.dif Patch1: memcached-autofoo.patch Patch2: memcached-use-endian_h.patch +# CVE-2019-11596 [bsc#1133817] +Patch3: memcached-CVE-2019-11596.patch +# CVE-2019-15026 [bsc#1149110] +Patch4: memcached-CVE-2019-15026.patch +# new version of the test (from 1.5.17) +Patch5: memcached-lru-maintainer.t.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: cyrus-sasl-devel @@ -84,6 +90,9 @@ %patch0 %patch1 %patch2 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build autoreconf -fi @@ -111,6 +120,9 @@ ln -s ../..%{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name} %endif +%check +make %{?_smp_mflags} test + %pre %{_sbindir}/groupadd -r %{name} >/dev/null 2>&1 || : %{_sbindir}/useradd -g %{name} -s /bin/false -r -c "user for %{name}" -d %{_localstatedir}/lib/%{name} %{name} >/dev/null 2>&1 || : ++++++ memcached-CVE-2019-11596.patch ++++++ diff --git a/memcached.c b/memcached.c index d64a83816..7fd3e40e1 100644 --- a/memcached.c +++ b/memcached.c @@ -4632,7 +4632,7 @@ static void process_lru_command(conn *c, token_t *tokens, const size_t ntokens) out_string(c, "OK"); } } - } else if (strcmp(tokens[1].value, "mode") == 0 && ntokens >= 3 && + } else if (strcmp(tokens[1].value, "mode") == 0 && ntokens >= 4 && settings.lru_maintainer_thread) { if (strcmp(tokens[2].value, "flat") == 0) { settings.lru_segmented = false; @@ -4643,7 +4643,7 @@ static void process_lru_command(conn *c, token_t *tokens, const size_t ntokens) } else { out_string(c, "ERROR"); } - } else if (strcmp(tokens[1].value, "temp_ttl") == 0 && ntokens >= 3 && + } else if (strcmp(tokens[1].value, "temp_ttl") == 0 && ntokens >= 4 && settings.lru_maintainer_thread) { if (!safe_strtol(tokens[2].value, &ttl)) { out_string(c, "ERROR"); ++++++ memcached-CVE-2019-15026.patch ++++++ Index: memcached-1.5.6/memcached.c =================================================================== --- memcached-1.5.6.orig/memcached.c 2019-09-03 12:01:54.762376784 +0200 +++ memcached-1.5.6/memcached.c 2019-09-03 12:24:51.486326057 +0200 @@ -3273,6 +3273,7 @@ static void conn_to_str(const conn *c, c struct sockaddr *addr = (void *)&c->request_addr; int af; unsigned short port = 0; + size_t pathlen = 0; /* For listen ports and idle UDP ports, show listen address */ if (c->state == conn_listening || @@ -3314,10 +3315,27 @@ static void conn_to_str(const conn *c, c break; case AF_UNIX: + // this strncpy call originally could piss off an address + // sanitizer; we supplied the size of the dest buf as a limiter, + // but optimized versions of strncpy could read past the end of + // *src while looking for a null terminator. Since buf and + // sun_path here are both on the stack they could even overlap, + // which is "undefined". In all OSS versions of strncpy I could + // find this has no effect; it'll still only copy until the first null + // terminator is found. Thus it's possible to get the OS to + // examine past the end of sun_path but it's unclear to me if this + // can cause any actual problem. + // + // We need a safe_strncpy util function but I'll punt on figuring + // that out for now. + pathlen = sizeof(((struct sockaddr_un *)addr)->sun_path); + if (MAXPATHLEN <= pathlen) { + pathlen = MAXPATHLEN - 1; + } strncpy(addr_text, ((struct sockaddr_un *)addr)->sun_path, - sizeof(addr_text) - 1); - addr_text[sizeof(addr_text)-1] = '\0'; + pathlen); + addr_text[pathlen] = '\0'; protoname = "unix"; break; } ++++++ memcached-lru-maintainer.t.patch ++++++ --- memcached-1.5.6/t/lru-maintainer.t 2017-09-19 21:46:21.000000000 +0200 +++ memcached-1.5.17/t/lru-maintainer.t 2019-04-28 02:18:53.000000000 +0200 @@ -56,6 +56,20 @@ for (my $key = 0; $key < 100; $key++) { # Items need two fetches to become active mem_get_is($sock, "canary", $value); mem_get_is($sock, "canary", $value); + $stats = mem_stats($sock); + # The maintainer thread needs to juggle a bit to actually rescue an + # item. If it's slow we could evict after resuming setting. + sleep 1; + for (0..4) { + my $s2 = mem_stats($sock); + if ($s2->{lru_maintainer_juggles} - $stats->{lru_maintainer_juggles} < 5) { + sleep 1; + next; + } + last; + } + $stats = mem_stats($sock, "items"); + isnt($stats->{"items:31:moves_to_warm"}, 0, "our canary moved to warm"); } print $sock "set key$key 0 0 66560\r\n$value\r\n"; is(scalar <$sock>, "STORED\r\n", "stored key$key"); @@ -64,8 +78,6 @@ for (my $key = 0; $key < 100; $key++) { { my $stats = mem_stats($sock); isnt($stats->{evictions}, 0, "some evictions happened"); - my $istats = mem_stats($sock, "items"); - isnt($istats->{"items:31:number_warm"}, 0, "our canary moved to warm"); use Data::Dumper qw/Dumper/; }
