Bug#733643: memcached: diff for NMU version 1.4.13-0.3
Control: tags 706426 + patch pending Control: tags 733643 + patch pending Dear maintainer, I've prepared an NMU for memcached (versioned as 1.4.13-0.3) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore diff -Nru memcached-1.4.13/debian/changelog memcached-1.4.13/debian/changelog --- memcached-1.4.13/debian/changelog 2013-01-23 21:22:12.0 +0100 +++ memcached-1.4.13/debian/changelog 2014-01-01 15:37:36.0 +0100 @@ -1,3 +1,15 @@ +memcached (1.4.13-0.3) unstable; urgency=high + + * Non-maintainer upload. + * Add 06_CVE-2011-4971.patch patch. +CVE-2011-4971: Fix remote denial of service. Sending a specially +crafted packet cause memcached to segfault. (Closes: #706426) + * Add 07_CVE-2013-7239.patch patch. +CVE-2013-7239: SASL authentication allows wrong credentials to access +memcache. (Closes: #733643) + + -- Salvatore Bonaccorso car...@debian.org Mon, 30 Dec 2013 17:47:44 +0100 + memcached (1.4.13-0.2) unstable; urgency=low * Non-maintainer upload. diff -Nru memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch --- memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 1970-01-01 01:00:00.0 +0100 +++ memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 2014-01-01 15:37:36.0 +0100 @@ -0,0 +1,54 @@ +Description: Fix segfault on specially crafted packet + CVE-2011-4971: remote denial of service +Origin: upstream, http://github.com/memcached/memcached/commit/6695ccbc525c36d693aaa3e8337b36aa0c784424 +Bug: https://code.google.com/p/memcached/issues/detail?id=192 +Bug-Debian: http://bugs.debian.org/706426 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=957964 +Forwarded: not-needed +Author: Huzaifa Sidhpurwala huzai...@redhat.com +Reviewed-by: Salvatore Bonaccorso car...@debian.org +Last-Update: 2013-12-29 +Applied-Upstream: 1.4.16 + +--- a/memcached.c b/memcached.c +@@ -3874,6 +3874,16 @@ + complete_nread(c); + break; + } ++ ++/* Check if rbytes 0, to prevent crash */ ++if (c-rlbytes 0) { ++if (settings.verbose) { ++fprintf(stderr, Invalid rlbytes to read: len %d\n, c-rlbytes); ++} ++conn_set_state(c, conn_closing); ++break; ++} ++ + /* first check if we have leftovers in the conn_read buffer */ + if (c-rbytes 0) { + int tocopy = c-rbytes c-rlbytes ? c-rlbytes : c-rbytes; +--- /dev/null b/t/issue_192.t +@@ -0,0 +1,20 @@ ++#!/usr/bin/perl ++ ++use strict; ++use Test::More tests = 2; ++use FindBin qw($Bin); ++use lib $Bin/lib; ++use MemcachedTest; ++ ++my $server = new_memcached(); ++my $sock = $server-sock; ++ ++ok($server-new_sock, opened new socket); ++ ++print $sock \x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00; ++ ++sleep 0.5; ++ok($server-new_sock, failed to open new socket); ++ ++ ++ diff -Nru memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch --- memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 1970-01-01 01:00:00.0 +0100 +++ memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 2014-01-01 15:37:36.0 +0100 @@ -0,0 +1,122 @@ +Description: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache + It was previously possible to bypass authentication due to implicit + state management. Now we explicitly consider ourselves + unauthenticated on any new connections and authentication attempts. +Origin: upstream, https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32 +Bug: https://code.google.com/p/memcached/issues/detail?id=316 +Bug-Debian: http://bugs.debian.org/733643 +Forwarded: not-needed +Last-Update: 2013-12-30 +Applied-Upstream: 1.4.17 + +--- a/memcached.c b/memcached.c +@@ -442,6 +442,7 @@ + c-iovused = 0; + c-msgcurr = 0; + c-msgused = 0; ++c-authenticated = false; + + c-write_and_go = init_state; + c-write_and_free = 0; +@@ -1602,6 +1603,8 @@ + if (!settings.sasl) + return; + ++c-authenticated = false; ++ + if (!c-sasl_conn) { + int result=sasl_server_new(memcached, +NULL, +@@ -1736,6 +1739,7 @@ + + switch(result) { + case SASL_OK: ++c-authenticated = true; + write_bin_response(c, Authenticated, 0, 0, strlen(Authenticated)); + pthread_mutex_lock(c-thread-stats.mutex); + c-thread-stats.auth_cmds++; +@@ -1772,11 +1776,7 @@ + rv = true; + break; + default: +-if (c-sasl_conn) { +-const void *uname = NULL; +-
Bug#733643: memcached: diff for NMU version 1.4.13-0.3
Hi Attached is a preliminary debdiff for fixing both issues. Regards, Salvatore diff -Nru memcached-1.4.13/debian/changelog memcached-1.4.13/debian/changelog --- memcached-1.4.13/debian/changelog 2013-01-23 21:22:12.0 +0100 +++ memcached-1.4.13/debian/changelog 2013-12-30 17:58:45.0 +0100 @@ -1,3 +1,15 @@ +memcached (1.4.13-0.3) unstable; urgency=high + + * Non-maintainer upload. + * Add 06_CVE-2011-4971.patch patch. +CVE-2011-4971: Fix remote denial of service. Sending a specially +crafted packet cause memcached to segfault. (Closes: #706426) + * Add 07_CVE-2013-7239.patch patch. +CVE-2013-7239: SASL authentication allows wrong credentials to access +memcache. (Closes: #733643) + + -- Salvatore Bonaccorso car...@debian.org Mon, 30 Dec 2013 17:47:44 +0100 + memcached (1.4.13-0.2) unstable; urgency=low * Non-maintainer upload. diff -Nru memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch --- memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 1970-01-01 01:00:00.0 +0100 +++ memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 2013-12-30 17:58:45.0 +0100 @@ -0,0 +1,54 @@ +Description: Fix segfault on specially crafted packet + CVE-2011-4971: remote denial of service +Origin: upstream, http://github.com/memcached/memcached/commit/6695ccbc525c36d693aaa3e8337b36aa0c784424 +Bug: https://code.google.com/p/memcached/issues/detail?id=192 +Bug-Debian: http://bugs.debian.org/706426 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=957964 +Forwarded: not-needed +Author: Huzaifa Sidhpurwala huzai...@redhat.com +Reviewed-by: Salvatore Bonaccorso car...@debian.org +Last-Update: 2013-12-29 +Applied-Upstream: 1.4.16 + +--- a/memcached.c b/memcached.c +@@ -3874,6 +3874,16 @@ + complete_nread(c); + break; + } ++ ++/* Check if rbytes 0, to prevent crash */ ++if (c-rlbytes 0) { ++if (settings.verbose) { ++fprintf(stderr, Invalid rlbytes to read: len %d\n, c-rlbytes); ++} ++conn_set_state(c, conn_closing); ++break; ++} ++ + /* first check if we have leftovers in the conn_read buffer */ + if (c-rbytes 0) { + int tocopy = c-rbytes c-rlbytes ? c-rlbytes : c-rbytes; +--- /dev/null b/t/issue_192.t +@@ -0,0 +1,20 @@ ++#!/usr/bin/perl ++ ++use strict; ++use Test::More tests = 2; ++use FindBin qw($Bin); ++use lib $Bin/lib; ++use MemcachedTest; ++ ++my $server = new_memcached(); ++my $sock = $server-sock; ++ ++ok($server-new_sock, opened new socket); ++ ++print $sock \x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00; ++ ++sleep 0.5; ++ok($server-new_sock, failed to open new socket); ++ ++ ++ diff -Nru memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch --- memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 1970-01-01 01:00:00.0 +0100 +++ memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 2013-12-30 17:58:45.0 +0100 @@ -0,0 +1,122 @@ +Description: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache + It was previously possible to bypass authentication due to implicit + state management. Now we explicitly consider ourselves + unauthenticated on any new connections and authentication attempts. +Origin: upstream, https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32 +Bug: https://code.google.com/p/memcached/issues/detail?id=316 +Bug-Debian: http://bugs.debian.org/733643 +Forwarded: not-needed +Last-Update: 2013-12-30 +Applied-Upstream: 1.4.17 + +--- a/memcached.c b/memcached.c +@@ -442,6 +442,7 @@ + c-iovused = 0; + c-msgcurr = 0; + c-msgused = 0; ++c-authenticated = false; + + c-write_and_go = init_state; + c-write_and_free = 0; +@@ -1602,6 +1603,8 @@ + if (!settings.sasl) + return; + ++c-authenticated = false; ++ + if (!c-sasl_conn) { + int result=sasl_server_new(memcached, +NULL, +@@ -1736,6 +1739,7 @@ + + switch(result) { + case SASL_OK: ++c-authenticated = true; + write_bin_response(c, Authenticated, 0, 0, strlen(Authenticated)); + pthread_mutex_lock(c-thread-stats.mutex); + c-thread-stats.auth_cmds++; +@@ -1772,11 +1776,7 @@ + rv = true; + break; + default: +-if (c-sasl_conn) { +-const void *uname = NULL; +-sasl_getprop(c-sasl_conn, SASL_USERNAME, uname); +-rv = uname != NULL; +-} ++rv = c-authenticated; + } + + if (settings.verbose 1) {