Package: libmemcached Version: 1.0.18-4.2 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu disco ubuntu-patch
Dear Maintainer, When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination. The buffer then gets passed to sasl_client_start which treats it as a null-terminated string, reading uninitialised bytes in the buffer. As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication [1]. [1] : https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594 In Ubuntu, the attached patch was applied to achieve the following: * Fix missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS response handling (LP: #1573594) Thanks for considering the patch. -- System Information: Debian Release: buster/sid APT prefers bionic-updates APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 'bionic'), (100, 'bionic-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-43-generic (SMP w/12 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru libmemcached-1.0.18/debian/patches/fixing_missing_null_termination.patch libmemcached-1.0.18/debian/patches/fixing_missing_null_termination.patch --- libmemcached-1.0.18/debian/patches/fixing_missing_null_termination.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmemcached-1.0.18/debian/patches/fixing_missing_null_termination.patch 2019-01-18 13:04:25.000000000 +0000 @@ -0,0 +1,15 @@ +Description: Fix missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS response handling +Author: Ioanna Alifieraki <ioanna-maria.alifier...@canonical.com> +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594 +Last-Update: 2019-01-18 + +--- libmemcached-1.0.18.orig/libmemcached/sasl.cc ++++ libmemcached-1.0.18/libmemcached/sasl.cc +@@ -171,6 +171,7 @@ memcached_return_t memcached_sasl_authen + memcached_server_response_increment(server); + + char mech[MEMCACHED_MAX_BUFFER]; ++ memset(mech, 0, MEMCACHED_MAX_BUFFER); + memcached_return_t rc= memcached_response(server, mech, sizeof(mech), NULL); + if (memcached_failed(rc)) + { diff -Nru libmemcached-1.0.18/debian/patches/series libmemcached-1.0.18/debian/patches/series --- libmemcached-1.0.18/debian/patches/series 2017-10-11 08:19:11.000000000 +0100 +++ libmemcached-1.0.18/debian/patches/series 2019-01-18 13:04:25.000000000 +0000 @@ -5,3 +5,4 @@ move-ax_confix_aux_dir.patch no-docs-no-man.diff fix-gcc7-build.diff +fixing_missing_null_termination.patch
