Bug#733643: memcached: diff for NMU version 1.4.13-0.3

Wed, 01 Jan 2014 06:42:54 -0800 

Control: tags 706426 + patch pending
Control: tags 733643 + patch pending

Dear maintainer,

I've prepared an NMU for memcached (versioned as 1.4.13-0.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru memcached-1.4.13/debian/changelog memcached-1.4.13/debian/changelog
--- memcached-1.4.13/debian/changelog	2013-01-23 21:22:12.000000000 +0100
+++ memcached-1.4.13/debian/changelog	2014-01-01 15:37:36.000000000 +0100
@@ -1,3 +1,15 @@
+memcached (1.4.13-0.3) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add 06_CVE-2011-4971.patch patch.
+    CVE-2011-4971: Fix remote denial of service. Sending a specially
+    crafted packet cause memcached to segfault. (Closes: #706426)
+  * Add 07_CVE-2013-7239.patch patch.
+    CVE-2013-7239: SASL authentication allows wrong credentials to access
+    memcache. (Closes: #733643)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Mon, 30 Dec 2013 17:47:44 +0100
+
 memcached (1.4.13-0.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch
--- memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch	1970-01-01 01:00:00.000000000 +0100
+++ memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch	2014-01-01 15:37:36.000000000 +0100
@@ -0,0 +1,54 @@
+Description: Fix segfault on specially crafted packet
+ CVE-2011-4971: remote denial of service
+Origin: upstream, http://github.com/memcached/memcached/commit/6695ccbc525c36d693aaa3e8337b36aa0c784424
+Bug: https://code.google.com/p/memcached/issues/detail?id=192
+Bug-Debian: http://bugs.debian.org/706426
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=957964
+Forwarded: not-needed
+Author: Huzaifa Sidhpurwala <huzai...@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2013-12-29
+Applied-Upstream: 1.4.16
+
+--- a/memcached.c
++++ b/memcached.c
+@@ -3874,6 +3874,16 @@
+                 complete_nread(c);
+                 break;
+             }
++
++            /* Check if rbytes < 0, to prevent crash */
++            if (c->rlbytes < 0) {
++                if (settings.verbose) {
++                    fprintf(stderr, "Invalid rlbytes to read: len %d\n", c->rlbytes);
++                }
++                conn_set_state(c, conn_closing);
++                break;
++            }
++
+             /* first check if we have leftovers in the conn_read buffer */
+             if (c->rbytes > 0) {
+                 int tocopy = c->rbytes > c->rlbytes ? c->rlbytes : c->rbytes;
+--- /dev/null
++++ b/t/issue_192.t
+@@ -0,0 +1,20 @@
++#!/usr/bin/perl
++
++use strict;
++use Test::More tests => 2;
++use FindBin qw($Bin);
++use lib "$Bin/lib";
++use MemcachedTest;
++
++my $server = new_memcached();
++my $sock = $server->sock;
++
++ok($server->new_sock, "opened new socket");
++
++print $sock "\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
++
++sleep 0.5;
++ok($server->new_sock, "failed to open new socket");
++
++
++
diff -Nru memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch
--- memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch	1970-01-01 01:00:00.000000000 +0100
+++ memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch	2014-01-01 15:37:36.000000000 +0100
@@ -0,0 +1,122 @@
+Description: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache
+ It was previously possible to bypass authentication due to implicit
+ state management.  Now we explicitly consider ourselves
+ unauthenticated on any new connections and authentication attempts.
+Origin: upstream, https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32
+Bug: https://code.google.com/p/memcached/issues/detail?id=316
+Bug-Debian: http://bugs.debian.org/733643
+Forwarded: not-needed
+Last-Update: 2013-12-30
+Applied-Upstream: 1.4.17
+
+--- a/memcached.c
++++ b/memcached.c
+@@ -442,6 +442,7 @@
+     c->iovused = 0;
+     c->msgcurr = 0;
+     c->msgused = 0;
++    c->authenticated = false;
+ 
+     c->write_and_go = init_state;
+     c->write_and_free = 0;
+@@ -1602,6 +1603,8 @@
+     if (!settings.sasl)
+         return;
+ 
++    c->authenticated = false;
++
+     if (!c->sasl_conn) {
+         int result=sasl_server_new("memcached",
+                                    NULL,
+@@ -1736,6 +1739,7 @@
+ 
+     switch(result) {
+     case SASL_OK:
++        c->authenticated = true;
+         write_bin_response(c, "Authenticated", 0, 0, strlen("Authenticated"));
+         pthread_mutex_lock(&c->thread->stats.mutex);
+         c->thread->stats.auth_cmds++;
+@@ -1772,11 +1776,7 @@
+         rv = true;
+         break;
+     default:
+-        if (c->sasl_conn) {
+-            const void *uname = NULL;
+-            sasl_getprop(c->sasl_conn, SASL_USERNAME, &uname);
+-            rv = uname != NULL;
+-        }
++        rv = c->authenticated;
+     }
+ 
+     if (settings.verbose > 1) {
+--- a/memcached.h
++++ b/memcached.h
+@@ -367,6 +367,7 @@
+ struct conn {
+     int    sfd;
+     sasl_conn_t *sasl_conn;
++    bool authenticated;
+     enum conn_states  state;
+     enum bin_substates substate;
+     struct event event;
+--- a/t/binary-sasl.t
++++ b/t/binary-sasl.t
+@@ -13,7 +13,7 @@
+ 
+ if (supports_sasl()) {
+     if ($ENV{'RUN_SASL_TESTS'}) {
+-        plan tests => 25;
++        plan tests => 33;
+     } else {
+         plan skip_all => 'Skipping SASL tests';
+         exit 0;
+@@ -229,6 +229,38 @@
+ }
+ $empty->('x');
+ 
++{
++    my $mc = MC::Client->new;
++
++    # Attempt bad authentication.
++    is ($mc->authenticate('testuser', 'wrongpassword'), 0x20, "bad auth");
++
++    # This should fail because $mc is not authenticated
++    my ($status, $val)= $mc->set('x', "somevalue");
++    ok($status, "this fails to authenticate");
++    cmp_ok($status,'==',ERR_AUTH_ERROR, "error code matches");
++}
++$empty->('x', 'somevalue');
++
++{
++    my $mc = MC::Client->new;
++
++    # Attempt bad authentication.
++    is ($mc->authenticate('testuser', 'wrongpassword'), 0x20, "bad auth");
++
++    # Mix an authenticated connection and an unauthenticated connection to
++    # confirm c->authenticated is not shared among connections
++    my $mc2 = MC::Client->new;
++    is ($mc2->authenticate('testuser', 'testpass'), 0, "authenticated");
++    my ($status, $val)= $mc2->set('x', "somevalue");
++    ok(! $status);
++
++    # This should fail because $mc is not authenticated
++    ($status, $val)= $mc->set('x', "somevalue");
++    ok($status, "this fails to authenticate");
++    cmp_ok($status,'==',ERR_AUTH_ERROR, "error code matches");
++}
++
+ # check the SASL stats, make sure they track things correctly
+ # note: the enabled or not is presence checked in stats.t
+ 
+@@ -241,8 +273,8 @@
+ 
+ {
+     my %stats = $mc->stats('');
+-    is ($stats{'auth_cmds'}, 2, "auth commands counted");
+-    is ($stats{'auth_errors'}, 1, "auth errors correct");
++    is ($stats{'auth_cmds'}, 5, "auth commands counted");
++    is ($stats{'auth_errors'}, 3, "auth errors correct");
+ }
+ 
+ 
diff -Nru memcached-1.4.13/debian/patches/series memcached-1.4.13/debian/patches/series
--- memcached-1.4.13/debian/patches/series	2013-01-20 15:51:34.000000000 +0100
+++ memcached-1.4.13/debian/patches/series	2014-01-01 15:37:36.000000000 +0100
@@ -3,3 +3,5 @@
 03_fix_ftbfs4hurd.patch
 04_add_init_retry.patch
 05_fix-buffer-overrun_when_logging_keys.patch
+06_CVE-2011-4971.patch
+07_CVE-2013-7239.patch

Attachment: signature.asc
Description: Digital signature

Reply via email to