Le 30/08/2017 à 21:58, Adam D. Barratt a écrit : > Control: tags -1 + confirmed > > On Wed, 2017-08-30 at 21:33 +0200, g...@iroqwa.org wrote: >> The attached patch fix CVE-2017-9951 which has been not fixed via a DSA, >> as discussed with Salvatore Bonaccorso: https://bugs.debian.org/868701. > > +memcached (1.4.33-1+deb9u1) stretch; urgency=high > + > + * Non-maintainer upload by the Security Team. > > So far as I can tell, you're not a member of the Security Team, so this > is incorrect.
Sure, please find attached the fixed debdiff, as i'm not a member of the security team. I've also changed the distribution from stretch to stretch-security. > > + * Fix CVE-2017-9951 by checking the integer length of commands that adds or > + replaces key/value pair > + > + -- Guillaume Delacour <g...@iroqwa.org> Tue, 25 Jul 2017 00:38:52 +0200 > > Please go ahead, bearing in mind the above comment. As i'm not a DD nor DM i can't upload this directly, could you do this for me as a mentoring ? I also need to provide this kind of changes for Jessie. > > Regards, > > Adam > -- Guillaume Delacour
diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog --- memcached-1.4.33/debian/changelog 2016-11-03 01:50:27.000000000 +0100 +++ memcached-1.4.33/debian/changelog 2017-07-25 00:38:52.000000000 +0200 @@ -1,3 +1,10 @@ +memcached (1.4.33-1+deb9u1) stretch-security; urgency=high + + * Fix CVE-2017-9951 by checking the integer length of commands that adds or + replaces key/value pair + + -- Guillaume Delacour <g...@iroqwa.org> Tue, 25 Jul 2017 00:38:52 +0200 + memcached (1.4.33-1) unstable; urgency=medium * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch --- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 1970-01-01 01:00:00.000000000 +0100 +++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 2017-07-25 00:38:52.000000000 +0200 @@ -0,0 +1,36 @@ +From: dormando <dorma...@rydia.net> +Date: Tue, 4 Jul 2017 00:32:39 -0700 +Subject: [PATCH] sanity check (CVE-2017-9951) +Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 + +--- + items.c | 2 ++ + memcached.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/items.c b/items.c +index 637e5e745..83a2ea37d 100644 +--- a/items.c ++++ b/items.c +@@ -368,6 +368,8 @@ void item_free(item *it) { + bool item_size_ok(const size_t nkey, const int flags, const int nbytes) { + char prefix[40]; + uint8_t nsuffix; ++ if (nbytes < 2) ++ return false; + + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, + prefix, &nsuffix); +diff --git a/memcached.c b/memcached.c +index 0f0335795..a89df965d 100644 +--- a/memcached.c ++++ b/memcached.c +@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) { + + case conn_swallow: + /* we are reading sbytes and throwing them away */ +- if (c->sbytes == 0) { ++ if (c->sbytes <= 0) { + conn_set_state(c, conn_new_cmd); + break; + } diff -Nru memcached-1.4.33/debian/patches/series memcached-1.4.33/debian/patches/series --- memcached-1.4.33/debian/patches/series 2016-08-21 18:48:58.000000000 +0200 +++ memcached-1.4.33/debian/patches/series 2017-07-25 00:38:52.000000000 +0200 @@ -1,3 +1,4 @@ 01_init_script_additions.patch 04_add_init_retry.patch 07_disable_tests.patch +09_CVE-2017-9951.patch
signature.asc
Description: OpenPGP digital signature
