diff --git a/SOURCES/memcached-CVE-2011-4971.patch b/SOURCES/memcached-CVE-2011-4971.patch new file mode 100644 index 0000000..ec69ae9 --- /dev/null +++ b/SOURCES/memcached-CVE-2011-4971.patch @@ -0,0 +1,53 @@ +commit 6695ccbc525c36d693aaa3e8337b36aa0c784424 +Author: Huzaifa Sidhpurwala +Date: Sun Dec 8 17:33:15 2013 -0800 + + Fix segfault on specially crafted packet. + +diff --git a/memcached.c b/memcached.c +index b6ed7c9..f3b9939 100644 +--- a/memcached.c ++++ b/memcached.c +@@ -3872,6 +3872,16 @@ static void drive_machine(conn *c) { + complete_nread(c); + break; + } ++ ++ /* Check if rbytes < 0, to prevent crash */ ++ if (c->rlbytes < 0) { ++ if (settings.verbose) { ++ fprintf(stderr, "Invalid rlbytes to read: len %d\n", c->rlbytes); ++ } ++ conn_set_state(c, conn_closing); ++ break; ++ } ++ + /* first check if we have leftovers in the conn_read buffer */ + if (c->rbytes > 0) { + int tocopy = c->rbytes > c->rlbytes ? c->rlbytes : c->rbytes; +diff --git a/t/issue_192.t b/t/issue_192.t +new file mode 100644 +index 0000000..c58e206 +--- /dev/null ++++ b/t/issue_192.t +@@ -0,0 +1,20 @@ ++#!/usr/bin/perl ++ ++use strict; ++use Test::More tests => 2; ++use FindBin qw($Bin); ++use lib "$Bin/lib"; ++use MemcachedTest; ++ ++my $server = new_memcached(); ++my $sock = $server->sock; ++ ++ok($server->new_sock, "opened new socket"); ++ ++print $sock "\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; ++ ++sleep 0.5; ++ok($server->new_sock, "failed to open new socket"); ++ ++ ++ diff --git a/SOURCES/memcached-CVE-2013-0179_7290_7291.patch b/SOURCES/memcached-CVE-2013-0179_7290_7291.patch new file mode 100644 index 0000000..e02366d --- /dev/null +++ b/SOURCES/memcached-CVE-2013-0179_7290_7291.patch @@ -0,0 +1,77 @@ +commit 0f605245cf3f37c2efe4e225237ad17256ea2a34 +Author: Jeremy Sowden +Date: Wed Jan 9 15:43:41 2013 +0000 + + Fix buffer-overrun when logging key to delete in binary protocol. + +diff --git a/memcached.c b/memcached.c +index 3a79fba..f7a140c 100644 +--- a/memcached.c ++++ b/memcached.c +@@ -2190,7 +2190,12 @@ static void process_bin_delete(conn *c) { + assert(c != NULL); + + if (settings.verbose > 1) { +- fprintf(stderr, "Deleting %s\n", key); ++ int ii; ++ fprintf(stderr, "Deleting "); ++ for (ii = 0; ii < nkey; ++ii) { ++ fprintf(stderr, "%c", key[ii]); ++ } ++ fprintf(stderr, "\n"); + } + + if (settings.detail_enabled) { +commit fbe823d9a61b5149cd6e3b5e17bd28dd3b8dd760 +Author: dormando +Date: Fri Dec 20 13:25:43 2013 -0800 + + fix potential unbounded key prints + + item key isn't necessarily null terminated. user submitted a patch for one, + this clears two more. + +diff --git a/items.c b/items.c +index d70400c..65b1a24 100644 +--- a/items.c ++++ b/items.c +@@ -537,12 +537,16 @@ item *do_item_get(const char *key, const size_t nkey, const uint32_t hv) { + int was_found = 0; + + if (settings.verbose > 2) { ++ int ii; + if (it == NULL) { +- fprintf(stderr, "> NOT FOUND %s", key); ++ fprintf(stderr, "> NOT FOUND "); + } else { +- fprintf(stderr, "> FOUND KEY %s", ITEM_key(it)); ++ fprintf(stderr, "> FOUND KEY "); + was_found++; + } ++ for (ii = 0; ii < nkey; ++ii) { ++ fprintf(stderr, "%c", key[ii]); ++ } + } + + if (it != NULL) { +diff --git a/memcached.c b/memcached.c +index f7a140c..6486ff2 100644 +--- a/memcached.c ++++ b/memcached.c +@@ -2856,8 +2856,14 @@ static inline void process_get_command(conn *c, token_t *tokens, size_t ntokens, + } + + +- if (settings.verbose > 1) +- fprintf(stderr, ">%d sending key %s\n", c->sfd, ITEM_key(it)); ++ if (settings.verbose > 1) { ++ int ii; ++ fprintf(stderr, ">%d sending key ", c->sfd); ++ for (ii = 0; ii < it->nkey; ++ii) { ++ fprintf(stderr, "%c", key[ii]); ++ } ++ fprintf(stderr, "\n"); ++ } + + /* item_get() has incremented it->refcount for us */ + pthread_mutex_lock(&c->thread->stats.mutex); diff --git a/SPECS/memcached.spec b/SPECS/memcached.spec index 9a0f422..ef4747e 100644 --- a/SPECS/memcached.spec +++ b/SPECS/memcached.spec @@ -3,7 +3,7 @@ Name: memcached Version: 1.4.15 -Release: 5%{?dist} +Release: 9%{?dist} Epoch: 0 Summary: High Performance, Distributed Memory Object Cache @@ -17,6 +17,8 @@ Source1: memcached.service # Patches Patch001: memcached-manpages.patch +Patch002: memcached-CVE-2011-4971.patch +Patch003: memcached-CVE-2013-0179_7290_7291.patch # Fixes @@ -54,6 +56,8 @@ access to the memcached binary include files. %prep %setup -q %patch001 -p1 -b .manpages +%patch002 -p1 -b .CVE-2011-4971 +%patch003 -p1 -b .CVE-2013-0179_7290_7291 %build # compile with full RELRO @@ -153,6 +157,18 @@ exit 0 %{_includedir}/memcached/* %changelog +* Fri Jan 24 2014 Daniel Mach - 01.4.15-9 +- Mass rebuild 2014-01-24 + +* Tue Jan 14 2014 Miroslav Lichvar - 0:1.4.15-8 +- fix unbound key printing (CVE-2013-0179, CVE-2013-7290, CVE-2013-7291) + +* Fri Dec 27 2013 Daniel Mach - 01.4.15-7 +- Mass rebuild 2013-12-27 + +* Thu Dec 12 2013 Miroslav Lichvar - 0:1.4.15-6 +- fix segfault on specially crafted packet (#988739, CVE-2011-4971) + * Mon Jul 08 2013 Miroslav Lichvar - 0:1.4.15-5 - update memcached man page - add memcached-tool man page