From 4b0545e26759037bee0dffc2c7282d6652493044 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 06:12:39 +0000 Subject: import memcached-1.4.15-10.el7 --- diff --git a/SOURCES/memcached-CVE-2013-7239.patch b/SOURCES/memcached-CVE-2013-7239.patch new file mode 100644 index 0000000..6ee947e --- /dev/null +++ b/SOURCES/memcached-CVE-2013-7239.patch @@ -0,0 +1,131 @@ +commit 87c1cf0f20be20608d3becf854e9cf0910f4ad32 +Author: 伊藤洋也 +Date: Fri Dec 20 18:49:54 2013 +0000 + + explicitly record sasl auth states + + It was previously possible to bypass authentication due to implicit + state management. Now we explicitly consider ourselves + unauthenticated on any new connections and authentication attempts. + + bug316 + + Signed-off-by: Dustin Sallings + +diff --git a/memcached.c b/memcached.c +index f129865..3a79fba 100644 +--- a/memcached.c ++++ b/memcached.c +@@ -457,6 +457,7 @@ conn *conn_new(const int sfd, enum conn_states init_state, + c->iovused = 0; + c->msgcurr = 0; + c->msgused = 0; ++ c->authenticated = false; + + c->write_and_go = init_state; + c->write_and_free = 0; +@@ -1637,6 +1638,8 @@ static void init_sasl_conn(conn *c) { + if (!settings.sasl) + return; + ++ c->authenticated = false; ++ + if (!c->sasl_conn) { + int result=sasl_server_new("memcached", + NULL, +@@ -1771,6 +1774,7 @@ static void process_bin_complete_sasl_auth(conn *c) { + + switch(result) { + case SASL_OK: ++ c->authenticated = true; + write_bin_response(c, "Authenticated", 0, 0, strlen("Authenticated")); + pthread_mutex_lock(&c->thread->stats.mutex); + c->thread->stats.auth_cmds++; +@@ -1807,11 +1811,7 @@ static bool authenticated(conn *c) { + rv = true; + break; + default: +- if (c->sasl_conn) { +- const void *uname = NULL; +- sasl_getprop(c->sasl_conn, SASL_USERNAME, &uname); +- rv = uname != NULL; +- } ++ rv = c->authenticated; + } + + if (settings.verbose > 1) { +diff --git a/memcached.h b/memcached.h +index 45b3213..7c212d5 100644 +--- a/memcached.h ++++ b/memcached.h +@@ -376,6 +376,7 @@ typedef struct conn conn; + struct conn { + int sfd; + sasl_conn_t *sasl_conn; ++ bool authenticated; + enum conn_states state; + enum bin_substates substate; + struct event event; +diff --git a/t/binary-sasl.t b/t/binary-sasl.t +index 69a05c2..85ef069 100755 +--- a/t/binary-sasl.t ++++ b/t/binary-sasl.t +@@ -13,7 +13,7 @@ use Test::More; + + if (supports_sasl()) { + if ($ENV{'RUN_SASL_TESTS'}) { +- plan tests => 25; ++ plan tests => 33; + } else { + plan skip_all => 'Skipping SASL tests'; + exit 0; +@@ -229,6 +229,38 @@ $check->('x','somevalue'); + } + $empty->('x'); + ++{ ++ my $mc = MC::Client->new; ++ ++ # Attempt bad authentication. ++ is ($mc->authenticate('testuser', 'wrongpassword'), 0x20, "bad auth"); ++ ++ # This should fail because $mc is not authenticated ++ my ($status, $val)= $mc->set('x', "somevalue"); ++ ok($status, "this fails to authenticate"); ++ cmp_ok($status,'==',ERR_AUTH_ERROR, "error code matches"); ++} ++$empty->('x', 'somevalue'); ++ ++{ ++ my $mc = MC::Client->new; ++ ++ # Attempt bad authentication. ++ is ($mc->authenticate('testuser', 'wrongpassword'), 0x20, "bad auth"); ++ ++ # Mix an authenticated connection and an unauthenticated connection to ++ # confirm c->authenticated is not shared among connections ++ my $mc2 = MC::Client->new; ++ is ($mc2->authenticate('testuser', 'testpass'), 0, "authenticated"); ++ my ($status, $val)= $mc2->set('x', "somevalue"); ++ ok(! $status); ++ ++ # This should fail because $mc is not authenticated ++ ($status, $val)= $mc->set('x', "somevalue"); ++ ok($status, "this fails to authenticate"); ++ cmp_ok($status,'==',ERR_AUTH_ERROR, "error code matches"); ++} ++ + # check the SASL stats, make sure they track things correctly + # note: the enabled or not is presence checked in stats.t + +@@ -241,8 +273,8 @@ $empty->('x'); + + { + my %stats = $mc->stats(''); +- is ($stats{'auth_cmds'}, 2, "auth commands counted"); +- is ($stats{'auth_errors'}, 1, "auth errors correct"); ++ is ($stats{'auth_cmds'}, 5, "auth commands counted"); ++ is ($stats{'auth_errors'}, 3, "auth errors correct"); + } + + diff --git a/SPECS/memcached.spec b/SPECS/memcached.spec index 0329864..3e735fa 100644 --- a/SPECS/memcached.spec +++ b/SPECS/memcached.spec @@ -1,9 +1,10 @@ %define username memcached %define groupname memcached +%bcond_without sasl Name: memcached Version: 1.4.15 -Release: 9%{?dist}.1 +Release: 10%{?dist} Epoch: 0 Summary: High Performance, Distributed Memory Object Cache @@ -19,6 +20,7 @@ Source1: memcached.service Patch001: memcached-manpages.patch Patch002: memcached-CVE-2011-4971.patch Patch003: memcached-CVE-2013-0179_7290_7291.patch +Patch004: memcached-CVE-2013-7239.patch Patch005: memcached-ipv6.patch # Fixes @@ -28,6 +30,9 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: libevent-devel BuildRequires: perl(Test::More), perl(Test::Harness) BuildRequires: systemd-units +%{?with_sasl:BuildRequires: cyrus-sasl-devel} +# For test suite +%{?with_sasl:BuildRequires: cyrus-sasl-md5 cyrus-sasl-plain} Requires(post): systemd Requires(preun): systemd @@ -59,6 +64,7 @@ access to the memcached binary include files. %patch001 -p1 -b .manpages %patch002 -p1 -b .CVE-2011-4971 %patch003 -p1 -b .CVE-2013-0179_7290_7291 +%patch004 -p1 -b .CVE-2013-7239 %patch005 -p1 -b .ipv6 %build @@ -66,7 +72,9 @@ access to the memcached binary include files. export CFLAGS="%{optflags} -pie -fpie" export LDFLAGS="-Wl,-z,relro,-z,now" -%configure +%configure \ + %{?with_sasl: --enable-sasl} + sed -i 's/-Werror/ /' Makefile make %{?_smp_mflags} @@ -80,7 +88,7 @@ if [ `id -u` -ne 0 ]; then # build systems rm -f t/daemonize.t fi -make test +RUN_SASL_TESTS=1 make test %install rm -rf %{buildroot} @@ -159,8 +167,10 @@ exit 0 %{_includedir}/memcached/* %changelog -* Thu Aug 11 2016 Miroslav Lichvar - 0:1.4.15-9.el7_2.1 -- fix binding to IPv6 address (#1366158) +* Tue Mar 08 2016 Miroslav Lichvar - 0:1.4.15-10 +- fix binding to IPv6 address (#1298603) +- enable SASL support (#1263696) +- don't allow authentication with bad SASL credentials (CVE-2013-7239) * Fri Jan 24 2014 Daniel Mach - 01.4.15-9 - Mass rebuild 2014-01-24