From b0376c2f950d02b6ee8a9eab20422e140e21f2c0 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 23 2016 04:44:29 +0000
Subject: import memcached-1.4.15-10.el7_3.1


---

diff --git a/SOURCES/memcached-CVE-2016-8704_8705_8706.patch b/SOURCES/memcached-CVE-2016-8704_8705_8706.patch
new file mode 100644
index 0000000..88ee3b2
--- /dev/null
+++ b/SOURCES/memcached-CVE-2016-8704_8705_8706.patch
@@ -0,0 +1,35 @@
+diff -up memcached-1.4.15/items.c.CVE-2016-8704_8705_8706 memcached-1.4.15/items.c
+--- memcached-1.4.15/items.c.CVE-2016-8704_8705_8706	2016-11-07 11:14:13.099196427 +0100
++++ memcached-1.4.15/items.c	2016-11-07 11:14:13.104196443 +0100
+@@ -91,6 +91,9 @@ item *do_item_alloc(char *key, const siz
+     uint8_t nsuffix;
+     item *it = NULL;
+     char suffix[40];
++    if (nbytes < 2 || nkey < 0)
++        return 0;
++
+     size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, &nsuffix);
+     if (settings.use_cas) {
+         ntotal += sizeof(uint64_t);
+diff -up memcached-1.4.15/memcached.c.CVE-2016-8704_8705_8706 memcached-1.4.15/memcached.c
+--- memcached-1.4.15/memcached.c.CVE-2016-8704_8705_8706	2016-11-07 11:14:13.103196439 +0100
++++ memcached-1.4.15/memcached.c	2016-11-07 11:14:13.105196446 +0100
+@@ -1790,10 +1790,16 @@ static bool authenticated(conn *c) {
+ static void dispatch_bin_command(conn *c) {
+     int protocol_error = 0;
+ 
+-    int extlen = c->binary_header.request.extlen;
+-    int keylen = c->binary_header.request.keylen;
++    uint8_t extlen = c->binary_header.request.extlen;
++    uint16_t keylen = c->binary_header.request.keylen;
+     uint32_t bodylen = c->binary_header.request.bodylen;
+ 
++    if (keylen > bodylen || keylen + extlen > bodylen) {
++        write_bin_error(c, PROTOCOL_BINARY_RESPONSE_UNKNOWN_COMMAND, 0);
++        c->write_and_go = conn_closing;
++        return;
++    }
++
+     if (settings.sasl && !authenticated(c)) {
+         write_bin_error(c, PROTOCOL_BINARY_RESPONSE_AUTH_ERROR, 0);
+         c->write_and_go = conn_closing;
diff --git a/SPECS/memcached.spec b/SPECS/memcached.spec
index 3e735fa..d721c0d 100644
--- a/SPECS/memcached.spec
+++ b/SPECS/memcached.spec
@@ -4,7 +4,7 @@
 
 Name:           memcached
 Version:        1.4.15
-Release:        10%{?dist}
+Release:        10%{?dist}.1
 Epoch:          0
 Summary:        High Performance, Distributed Memory Object Cache
 
@@ -22,6 +22,7 @@ Patch002:       memcached-CVE-2011-4971.patch
 Patch003:       memcached-CVE-2013-0179_7290_7291.patch
 Patch004:       memcached-CVE-2013-7239.patch
 Patch005:       memcached-ipv6.patch
+Patch006:       memcached-CVE-2016-8704_8705_8706.patch
 
 # Fixes
 
@@ -66,6 +67,7 @@ access to the memcached binary include files.
 %patch003 -p1 -b .CVE-2013-0179_7290_7291
 %patch004 -p1 -b .CVE-2013-7239
 %patch005 -p1 -b .ipv6
+%patch006 -p1 -b .CVE-2016-8704_8705_8706
 
 %build
 # compile with full RELRO
@@ -167,6 +169,10 @@ exit 0
 %{_includedir}/memcached/*
 
 %changelog
+* Mon Nov 07 2016 Miroslav Lichvar <mlichvar@redhat.com> - 0:1.4.15-10.el7_3.1
+- fix vulnerabilities allowing remote code execution (CVE-2016-8704,
+  CVE-2016-8705, CVE-2016-8706)
+
 * Tue Mar 08 2016 Miroslav Lichvar <mlichvar@redhat.com> - 0:1.4.15-10
 - fix binding to IPv6 address (#1298603)
 - enable SASL support (#1263696)