Bug#842814: memcached: CVE-2016-8706

2016-11-02 Thread Salvatore Bonaccorso 
Hi Guillaume,

On Thu, Nov 03, 2016 at 03:17:27AM +0100, Guillaume Delacour wrote:
> Please see attached the debdiff.
> Also, please note that i can't upload myself to security-master as i'm
> not a DD nor DM.

I actually did already earlier this week, but I have not released yet
the DSA text. Sorry for not notifying the bug.

Are you working on an unstable upload?

Regards,
Salvatore

Bug#842814: memcached: CVE-2016-8706

2016-11-02 Thread Guillaume Delacour 
Please see attached the debdiff.
Also, please note that i can't upload myself to security-master as i'm
not a DD nor DM.

On Tue, 01 Nov 2016 14:08:44 +0100 Salvatore Bonaccorso
 wrote:
> Source: memcached
> Version: 1.4.31-1
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for memcached.
> 
> CVE-2016-8706[0]:
> |Memcached Server SASL Autentication Remote Code Execution
> |Vulnerability
> 
> It is easily reproducible with the TALOS reproducer when memcached
> enabled SASL authentication and running under valgrind to see the
> crash.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-8706
> [1] http://www.talosintelligence.com/reports/TALOS-2016-0221/
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 
> 

-- 
Guillaume Delacour
diff -Nru memcached-1.4.21/debian/changelog memcached-1.4.21/debian/changelog
--- memcached-1.4.21/debian/changelog   2015-03-07 13:01:25.0 +
+++ memcached-1.4.21/debian/changelog   2016-11-03 02:14:20.0 +
@@ -1,3 +1,12 @@
+memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high
+
+  * CVE-2016-8704: Fix Append/Prepend Remote Code Execution (Closes: #842811)
+  * CVE-2016-8705: Fix Update Remote Code Execution (Closes: #842812)
+  * CVE-2016-8706: Fix SASL Authentication Remote Code Execution
+(Closes: #842814)
+
+ -- Guillaume Delacour   Thu, 03 Nov 2016 02:26:55 +0100
+
 memcached (1.4.21-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch 
memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
--- memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
1970-01-01 00:00:00.0 +
+++ memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch
2016-11-03 01:31:47.0 +
@@ -0,0 +1,50 @@
+From bd578fc34b96abe0f8d99c1409814a09f51ee71c Mon Sep 17 00:00:00 2001
+From: dormando 
+Date: Wed, 12 Oct 2016 13:50:47 -0700
+Subject: [PATCH] CVE reported by cisco talos
+Origin: upstream,
+https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c
+Last-Update: 2016-11-03
+
+---
+ items.c |  3 +++
+ memcached.c | 10 --
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/items.c b/items.c
+index 9e6d921..a1cca4a 100644
+--- a/items.c
 b/items.c
+@@ -148,6 +148,9 @@ item *do_item_alloc(char *key, const size_t nkey, const 
unsigned int flags,
+ uint8_t nsuffix;
+ item *it = NULL;
+ char suffix[40];
++if (nbytes < 2 || nkey < 0)
++return 0;
++
+ size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, 
);
+ if (settings.use_cas) {
+ ntotal += sizeof(uint64_t);
+diff --git a/memcached.c b/memcached.c
+index dc1f636..ad423a0 100644
+--- a/memcached.c
 b/memcached.c
+@@ -1997,10 +1997,16 @@ static bool authenticated(conn *c) {
+ static void dispatch_bin_command(conn *c) {
+ int protocol_error = 0;
+ 
+-int extlen = c->binary_header.request.extlen;
+-int keylen = c->binary_header.request.keylen;
++uint8_t extlen = c->binary_header.request.extlen;
++uint16_t keylen = c->binary_header.request.keylen;
+ uint32_t bodylen = c->binary_header.request.bodylen;
+ 
++if (keylen > bodylen || keylen + extlen > bodylen) {
++write_bin_error(c, PROTOCOL_BINARY_RESPONSE_UNKNOWN_COMMAND, NULL, 0);
++c->write_and_go = conn_closing;
++return;
++}
++
+ if (settings.sasl && !authenticated(c)) {
+ write_bin_error(c, PROTOCOL_BINARY_RESPONSE_AUTH_ERROR, NULL, 0);
+ c->write_and_go = conn_closing;
diff -Nru memcached-1.4.21/debian/patches/series 
memcached-1.4.21/debian/patches/series
--- memcached-1.4.21/debian/patches/series  2015-03-07 13:01:25.0 
+
+++ memcached-1.4.21/debian/patches/series  2016-11-03 01:32:38.0 
+
@@ -4,3 +4,4 @@
 04_add_init_retry.patch
 06_eol_comment_handling.patch
 07_disable_tests.patch
+08_CVE-2016-8704_8705_8706.patch


signature.asc
Description: OpenPGP digital signature

Bug#842814: memcached: CVE-2016-8706

2016-11-01 Thread Salvatore Bonaccorso 
Source: memcached
Version: 1.4.31-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for memcached.

CVE-2016-8706[0]:
|Memcached Server SASL Autentication Remote Code Execution
|Vulnerability

It is easily reproducible with the TALOS reproducer when memcached
enabled SASL authentication and running under valgrind to see the
crash.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-8706
[1] http://www.talosintelligence.com/reports/TALOS-2016-0221/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore