Please see attached the debdiff. Also, please note that i can't upload myself to security-master as i'm not a DD nor DM.
On Tue, 01 Nov 2016 14:08:44 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: memcached > Version: 1.4.31-1 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for memcached. > > CVE-2016-8706[0]: > |Memcached Server SASL Autentication Remote Code Execution > |Vulnerability > > It is easily reproducible with the TALOS reproducer when memcached > enabled SASL authentication and running under valgrind to see the > crash. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-8706 > [1] http://www.talosintelligence.com/reports/TALOS-2016-0221/ > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > > -- Guillaume Delacour
diff -Nru memcached-1.4.21/debian/changelog memcached-1.4.21/debian/changelog --- memcached-1.4.21/debian/changelog 2015-03-07 13:01:25.000000000 +0000 +++ memcached-1.4.21/debian/changelog 2016-11-03 02:14:20.000000000 +0000 @@ -1,3 +1,12 @@ +memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high + + * CVE-2016-8704: Fix Append/Prepend Remote Code Execution (Closes: #842811) + * CVE-2016-8705: Fix Update Remote Code Execution (Closes: #842812) + * CVE-2016-8706: Fix SASL Authentication Remote Code Execution + (Closes: #842814) + + -- Guillaume Delacour <g...@iroqwa.org> Thu, 03 Nov 2016 02:26:55 +0100 + memcached (1.4.21-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch --- memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch 1970-01-01 00:00:00.000000000 +0000 +++ memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch 2016-11-03 01:31:47.000000000 +0000 @@ -0,0 +1,50 @@ +From bd578fc34b96abe0f8d99c1409814a09f51ee71c Mon Sep 17 00:00:00 2001 +From: dormando <dorma...@rydia.net> +Date: Wed, 12 Oct 2016 13:50:47 -0700 +Subject: [PATCH] CVE reported by cisco talos +Origin: upstream, +https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c +Last-Update: 2016-11-03 + +--- + items.c | 3 +++ + memcached.c | 10 ++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/items.c b/items.c +index 9e6d921..a1cca4a 100644 +--- a/items.c ++++ b/items.c +@@ -148,6 +148,9 @@ item *do_item_alloc(char *key, const size_t nkey, const unsigned int flags, + uint8_t nsuffix; + item *it = NULL; + char suffix[40]; ++ if (nbytes < 2 || nkey < 0) ++ return 0; ++ + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, &nsuffix); + if (settings.use_cas) { + ntotal += sizeof(uint64_t); +diff --git a/memcached.c b/memcached.c +index dc1f636..ad423a0 100644 +--- a/memcached.c ++++ b/memcached.c +@@ -1997,10 +1997,16 @@ static bool authenticated(conn *c) { + static void dispatch_bin_command(conn *c) { + int protocol_error = 0; + +- int extlen = c->binary_header.request.extlen; +- int keylen = c->binary_header.request.keylen; ++ uint8_t extlen = c->binary_header.request.extlen; ++ uint16_t keylen = c->binary_header.request.keylen; + uint32_t bodylen = c->binary_header.request.bodylen; + ++ if (keylen > bodylen || keylen + extlen > bodylen) { ++ write_bin_error(c, PROTOCOL_BINARY_RESPONSE_UNKNOWN_COMMAND, NULL, 0); ++ c->write_and_go = conn_closing; ++ return; ++ } ++ + if (settings.sasl && !authenticated(c)) { + write_bin_error(c, PROTOCOL_BINARY_RESPONSE_AUTH_ERROR, NULL, 0); + c->write_and_go = conn_closing; diff -Nru memcached-1.4.21/debian/patches/series memcached-1.4.21/debian/patches/series --- memcached-1.4.21/debian/patches/series 2015-03-07 13:01:25.000000000 +0000 +++ memcached-1.4.21/debian/patches/series 2016-11-03 01:32:38.000000000 +0000 @@ -4,3 +4,4 @@ 04_add_init_retry.patch 06_eol_comment_handling.patch 07_disable_tests.patch +08_CVE-2016-8704_8705_8706.patch
signature.asc
Description: OpenPGP digital signature
