Please see attached the debdiff.
Also, please note that i can't upload myself to security-master as i'm
not a DD nor DM.
On Tue, 01 Nov 2016 14:08:44 +0100 Salvatore Bonaccorso
wrote:
> Source: memcached
> Version: 1.4.31-1
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for memcached.
>
> CVE-2016-8706[0]:
> |Memcached Server SASL Autentication Remote Code Execution
> |Vulnerability
>
> It is easily reproducible with the TALOS reproducer when memcached
> enabled SASL authentication and running under valgrind to see the
> crash.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-8706
> [1] http://www.talosintelligence.com/reports/TALOS-2016-0221/
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>
--
Guillaume Delacour
diff -Nru memcached-1.4.21/debian/changelog memcached-1.4.21/debian/changelog
--- memcached-1.4.21/debian/changelog 2015-03-07 13:01:25.0 +
+++ memcached-1.4.21/debian/changelog 2016-11-03 02:14:20.0 +
@@ -1,3 +1,12 @@
+memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high
+
+ * CVE-2016-8704: Fix Append/Prepend Remote Code Execution (Closes: #842811)
+ * CVE-2016-8705: Fix Update Remote Code Execution (Closes: #842812)
+ * CVE-2016-8706: Fix SASL Authentication Remote Code Execution
+(Closes: #842814)
+
+ -- Guillaume Delacour Thu, 03 Nov 2016 02:26:55 +0100
+
memcached (1.4.21-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
--- memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
1970-01-01 00:00:00.0 +
+++ memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
2016-11-03 01:31:47.0 +
@@ -0,0 +1,50 @@
+From bd578fc34b96abe0f8d99c1409814a09f51ee71c Mon Sep 17 00:00:00 2001
+From: dormando
+Date: Wed, 12 Oct 2016 13:50:47 -0700
+Subject: [PATCH] CVE reported by cisco talos
+Origin: upstream,
+https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c
+Last-Update: 2016-11-03
+
+---
+ items.c | 3 +++
+ memcached.c | 10 --
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/items.c b/items.c
+index 9e6d921..a1cca4a 100644
+--- a/items.c
b/items.c
+@@ -148,6 +148,9 @@ item *do_item_alloc(char *key, const size_t nkey, const
unsigned int flags,
+ uint8_t nsuffix;
+ item *it = NULL;
+ char suffix[40];
++if (nbytes < 2 || nkey < 0)
++return 0;
++
+ size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix,
);
+ if (settings.use_cas) {
+ ntotal += sizeof(uint64_t);
+diff --git a/memcached.c b/memcached.c
+index dc1f636..ad423a0 100644
+--- a/memcached.c
b/memcached.c
+@@ -1997,10 +1997,16 @@ static bool authenticated(conn *c) {
+ static void dispatch_bin_command(conn *c) {
+ int protocol_error = 0;
+
+-int extlen = c->binary_header.request.extlen;
+-int keylen = c->binary_header.request.keylen;
++uint8_t extlen = c->binary_header.request.extlen;
++uint16_t keylen = c->binary_header.request.keylen;
+ uint32_t bodylen = c->binary_header.request.bodylen;
+
++if (keylen > bodylen || keylen + extlen > bodylen) {
++write_bin_error(c, PROTOCOL_BINARY_RESPONSE_UNKNOWN_COMMAND, NULL, 0);
++c->write_and_go = conn_closing;
++return;
++}
++
+ if (settings.sasl && !authenticated(c)) {
+ write_bin_error(c, PROTOCOL_BINARY_RESPONSE_AUTH_ERROR, NULL, 0);
+ c->write_and_go = conn_closing;
diff -Nru memcached-1.4.21/debian/patches/series
memcached-1.4.21/debian/patches/series
--- memcached-1.4.21/debian/patches/series 2015-03-07 13:01:25.0
+
+++ memcached-1.4.21/debian/patches/series 2016-11-03 01:32:38.0
+
@@ -4,3 +4,4 @@
04_add_init_retry.patch
06_eol_comment_handling.patch
07_disable_tests.patch
+08_CVE-2016-8704_8705_8706.patch
signature.asc
Description: OpenPGP digital signature