[Additionnal Sponsor note]
---
Xenial
---
Rejected:
File libmemcached_1.0.18-4.1ubuntu1.debian.tar.xz already exists in Primary
Archive for Ubuntu, but uploaded version has different contents. See more
information about this error in
https://help.launchpad.net/Packaging/UploadErrors.
Files specified in DSC are broken or missing, skipping package unpack
verification.
---
I had to bump the version for Xenial from "1.0.18-4ubuntu1" to
"1.0.18-4ubuntu2".
"1.0.18-4ubuntu1" has already been uploaded/built back in 2015 and got
superseded/deleted for some reasons that I not aware of, therefore can't be use
again.
# https://launchpad.net/ubuntu/+source/libmemcached/+publishinghistory
DateStatus Target Pocket ComponentSection
Version
2015-12-12 11:54:14 EST Superseded Xenial release mainlibs
1.0.18-4ubuntu1
2015-12-13 13:10:09 EST Deleted Xenial proposedmainlibs
1.0.18-4ubuntu1
# Approved upload:
[ubuntu/xenial-proposed] libmemcached 1.0.18-4.1ubuntu2 (Waiting for approval)
--
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1573594
Title:
Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS
response handling
Status in libmemcached:
New
Status in libmemcached package in Ubuntu:
Fix Released
Status in libmemcached source package in Trusty:
In Progress
Status in libmemcached source package in Xenial:
In Progress
Status in libmemcached source package in Bionic:
In Progress
Status in libmemcached source package in Cosmic:
In Progress
Status in libmemcached source package in Disco:
Fix Released
Status in libmemcached package in Debian:
New
Bug description:
[Impact]
When connecting to a server using SASL,
memcached_sasl_authenticate_connection() reads the list of supported
mechanisms [1] from the server via the command
PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string
containing supported authentication mechanisms, which gets stored into
the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it
as a null-terminated string [4], reading uninitialised bytes in the
buffer.
As the buffer lives on the stack, an attacker that can put strings on
the stack before the connection gets made, might be able to tamper
with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
This bug is difficult to reproduce since it depends on the contents of the
stack.
However, here is a test case using the fix on Bionic that shows that this fix
does not cause any problems.
For testing you need
1) A memcached server.
You can setup one by following the instructions in [1],
or (what I did) create one in the cloud [2].
2) A client test program to connect to the memcached server.
One can be found in [3].
This simple test connects to a memcache server and test basic get/set
operations.
Copy paste the C code into a file (sals_test.c) and compile with :
gcc -o sasl_test -O2 sasl_test.c -lmemcached -pthread
3) On a machine with the updated version of libmemcached in which the fix is
applied :
jo@bionic-vm:~$ dpkg -l | grep libmemcached
ii libhashkit-dev:amd64 1.0.18-4.2ubuntu0.18.04.1
amd64libmemcached hashing functions and algorithms (development
files)
ii libhashkit2:amd64 1.0.18-4.2ubuntu0.18.04.1
amd64libmemcached hashing functions and algorithms
ii libmemcached-dbg:amd641.0.18-4.2ubuntu0.18.04.1
amd64Debug Symbols for libmemcached
ii libmemcached-dev:amd641.0.18-4.2ubuntu0.18.04.1
amd64C and C++ client library to the memcached server (development
files)
ii libmemcached-tools1.0.18-4.2ubuntu0.18.04.1
amd64Commandline tools for talking to memcached via libmemcached
ii libmemcached11:amd64 1.0.18-4.2ubuntu0.18.04.1
amd64C and C++ client library to the memcached server
ii libmemcachedutil2:amd64 1.0.18-4.2ubuntu0.18.04.1
amd64library implementing connection pooling for libmemcached
Run the sals_test binary :
#./sasl_test [username] [password] [server]
In my case using the credentials and the server created in step 1 :
jo@bionic-vm:~$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9
mc2.dev.eu.ec2.memcachier.com
Get/Set success!
[1] https://blog.couchbase.com/sasl-memcached-now-available/
[2] https://www.memcachier.com/
[3]