Bug#733643: memcached: diff for NMU version 1.4.13-0.3
Control: tags 706426 + patch pending
Control: tags 733643 + patch pending
Dear maintainer,
I've prepared an NMU for memcached (versioned as 1.4.13-0.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru memcached-1.4.13/debian/changelog memcached-1.4.13/debian/changelog
--- memcached-1.4.13/debian/changelog 2013-01-23 21:22:12.0 +0100
+++ memcached-1.4.13/debian/changelog 2014-01-01 15:37:36.0 +0100
@@ -1,3 +1,15 @@
+memcached (1.4.13-0.3) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add 06_CVE-2011-4971.patch patch.
+CVE-2011-4971: Fix remote denial of service. Sending a specially
+crafted packet cause memcached to segfault. (Closes: #706426)
+ * Add 07_CVE-2013-7239.patch patch.
+CVE-2013-7239: SASL authentication allows wrong credentials to access
+memcache. (Closes: #733643)
+
+ -- Salvatore Bonaccorso car...@debian.org Mon, 30 Dec 2013 17:47:44 +0100
+
memcached (1.4.13-0.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch
--- memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 1970-01-01 01:00:00.0 +0100
+++ memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 2014-01-01 15:37:36.0 +0100
@@ -0,0 +1,54 @@
+Description: Fix segfault on specially crafted packet
+ CVE-2011-4971: remote denial of service
+Origin: upstream, http://github.com/memcached/memcached/commit/6695ccbc525c36d693aaa3e8337b36aa0c784424
+Bug: https://code.google.com/p/memcached/issues/detail?id=192
+Bug-Debian: http://bugs.debian.org/706426
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=957964
+Forwarded: not-needed
+Author: Huzaifa Sidhpurwala huzai...@redhat.com
+Reviewed-by: Salvatore Bonaccorso car...@debian.org
+Last-Update: 2013-12-29
+Applied-Upstream: 1.4.16
+
+--- a/memcached.c
b/memcached.c
+@@ -3874,6 +3874,16 @@
+ complete_nread(c);
+ break;
+ }
++
++/* Check if rbytes 0, to prevent crash */
++if (c-rlbytes 0) {
++if (settings.verbose) {
++fprintf(stderr, Invalid rlbytes to read: len %d\n, c-rlbytes);
++}
++conn_set_state(c, conn_closing);
++break;
++}
++
+ /* first check if we have leftovers in the conn_read buffer */
+ if (c-rbytes 0) {
+ int tocopy = c-rbytes c-rlbytes ? c-rlbytes : c-rbytes;
+--- /dev/null
b/t/issue_192.t
+@@ -0,0 +1,20 @@
++#!/usr/bin/perl
++
++use strict;
++use Test::More tests = 2;
++use FindBin qw($Bin);
++use lib $Bin/lib;
++use MemcachedTest;
++
++my $server = new_memcached();
++my $sock = $server-sock;
++
++ok($server-new_sock, opened new socket);
++
++print $sock \x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00;
++
++sleep 0.5;
++ok($server-new_sock, failed to open new socket);
++
++
++
diff -Nru memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch
--- memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 1970-01-01 01:00:00.0 +0100
+++ memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 2014-01-01 15:37:36.0 +0100
@@ -0,0 +1,122 @@
+Description: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache
+ It was previously possible to bypass authentication due to implicit
+ state management. Now we explicitly consider ourselves
+ unauthenticated on any new connections and authentication attempts.
+Origin: upstream, https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32
+Bug: https://code.google.com/p/memcached/issues/detail?id=316
+Bug-Debian: http://bugs.debian.org/733643
+Forwarded: not-needed
+Last-Update: 2013-12-30
+Applied-Upstream: 1.4.17
+
+--- a/memcached.c
b/memcached.c
+@@ -442,6 +442,7 @@
+ c-iovused = 0;
+ c-msgcurr = 0;
+ c-msgused = 0;
++c-authenticated = false;
+
+ c-write_and_go = init_state;
+ c-write_and_free = 0;
+@@ -1602,6 +1603,8 @@
+ if (!settings.sasl)
+ return;
+
++c-authenticated = false;
++
+ if (!c-sasl_conn) {
+ int result=sasl_server_new(memcached,
+NULL,
+@@ -1736,6 +1739,7 @@
+
+ switch(result) {
+ case SASL_OK:
++c-authenticated = true;
+ write_bin_response(c, Authenticated, 0, 0, strlen(Authenticated));
+ pthread_mutex_lock(c-thread-stats.mutex);
+ c-thread-stats.auth_cmds++;
+@@ -1772,11 +1776,7 @@
+ rv = true;
+ break;
+ default:
+-if (c-sasl_conn) {
+-const void *uname = NULL;
+-
Bug#733643: memcached: diff for NMU version 1.4.13-0.3
Hi
Attached is a preliminary debdiff for fixing both issues.
Regards,
Salvatore
diff -Nru memcached-1.4.13/debian/changelog memcached-1.4.13/debian/changelog
--- memcached-1.4.13/debian/changelog 2013-01-23 21:22:12.0 +0100
+++ memcached-1.4.13/debian/changelog 2013-12-30 17:58:45.0 +0100
@@ -1,3 +1,15 @@
+memcached (1.4.13-0.3) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add 06_CVE-2011-4971.patch patch.
+CVE-2011-4971: Fix remote denial of service. Sending a specially
+crafted packet cause memcached to segfault. (Closes: #706426)
+ * Add 07_CVE-2013-7239.patch patch.
+CVE-2013-7239: SASL authentication allows wrong credentials to access
+memcache. (Closes: #733643)
+
+ -- Salvatore Bonaccorso car...@debian.org Mon, 30 Dec 2013 17:47:44 +0100
+
memcached (1.4.13-0.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch
--- memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 1970-01-01 01:00:00.0 +0100
+++ memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 2013-12-30 17:58:45.0 +0100
@@ -0,0 +1,54 @@
+Description: Fix segfault on specially crafted packet
+ CVE-2011-4971: remote denial of service
+Origin: upstream, http://github.com/memcached/memcached/commit/6695ccbc525c36d693aaa3e8337b36aa0c784424
+Bug: https://code.google.com/p/memcached/issues/detail?id=192
+Bug-Debian: http://bugs.debian.org/706426
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=957964
+Forwarded: not-needed
+Author: Huzaifa Sidhpurwala huzai...@redhat.com
+Reviewed-by: Salvatore Bonaccorso car...@debian.org
+Last-Update: 2013-12-29
+Applied-Upstream: 1.4.16
+
+--- a/memcached.c
b/memcached.c
+@@ -3874,6 +3874,16 @@
+ complete_nread(c);
+ break;
+ }
++
++/* Check if rbytes 0, to prevent crash */
++if (c-rlbytes 0) {
++if (settings.verbose) {
++fprintf(stderr, Invalid rlbytes to read: len %d\n, c-rlbytes);
++}
++conn_set_state(c, conn_closing);
++break;
++}
++
+ /* first check if we have leftovers in the conn_read buffer */
+ if (c-rbytes 0) {
+ int tocopy = c-rbytes c-rlbytes ? c-rlbytes : c-rbytes;
+--- /dev/null
b/t/issue_192.t
+@@ -0,0 +1,20 @@
++#!/usr/bin/perl
++
++use strict;
++use Test::More tests = 2;
++use FindBin qw($Bin);
++use lib $Bin/lib;
++use MemcachedTest;
++
++my $server = new_memcached();
++my $sock = $server-sock;
++
++ok($server-new_sock, opened new socket);
++
++print $sock \x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00;
++
++sleep 0.5;
++ok($server-new_sock, failed to open new socket);
++
++
++
diff -Nru memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch
--- memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 1970-01-01 01:00:00.0 +0100
+++ memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 2013-12-30 17:58:45.0 +0100
@@ -0,0 +1,122 @@
+Description: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache
+ It was previously possible to bypass authentication due to implicit
+ state management. Now we explicitly consider ourselves
+ unauthenticated on any new connections and authentication attempts.
+Origin: upstream, https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32
+Bug: https://code.google.com/p/memcached/issues/detail?id=316
+Bug-Debian: http://bugs.debian.org/733643
+Forwarded: not-needed
+Last-Update: 2013-12-30
+Applied-Upstream: 1.4.17
+
+--- a/memcached.c
b/memcached.c
+@@ -442,6 +442,7 @@
+ c-iovused = 0;
+ c-msgcurr = 0;
+ c-msgused = 0;
++c-authenticated = false;
+
+ c-write_and_go = init_state;
+ c-write_and_free = 0;
+@@ -1602,6 +1603,8 @@
+ if (!settings.sasl)
+ return;
+
++c-authenticated = false;
++
+ if (!c-sasl_conn) {
+ int result=sasl_server_new(memcached,
+NULL,
+@@ -1736,6 +1739,7 @@
+
+ switch(result) {
+ case SASL_OK:
++c-authenticated = true;
+ write_bin_response(c, Authenticated, 0, 0, strlen(Authenticated));
+ pthread_mutex_lock(c-thread-stats.mutex);
+ c-thread-stats.auth_cmds++;
+@@ -1772,11 +1776,7 @@
+ rv = true;
+ break;
+ default:
+-if (c-sasl_conn) {
+-const void *uname = NULL;
+-sasl_getprop(c-sasl_conn, SASL_USERNAME, uname);
+-rv = uname != NULL;
+-}
++rv = c-authenticated;
+ }
+
+ if (settings.verbose 1) {
