Bug#873758: stretch-pu: package memcached/1.4.33-1

[Guillaume Delacour <gui@iroqwa.org>]

Le 12/09/2017 à 22:55, Adam D. Barratt a écrit :
> On Tue, 2017-09-12 at 22:52 +0200, Guillaume Delacour wrote:
>> Le 30/08/2017 à 21:58, Adam D. Barratt a écrit :
>>> Control: tags -1 + confirmed
>>>
>>> On Wed, 2017-08-30 at 21:33 +0200, gui@iroqwa.org wrote:
>>>> The attached patch fix CVE-2017-9951 which has been not fixed via
>>>> a DSA,
>>>> as discussed with Salvatore Bonaccorso: https://bugs.debian.org/8
>>>> 68701.
>>>
>>> +memcached (1.4.33-1+deb9u1) stretch; urgency=high
>>> +
>>> +  * Non-maintainer upload by the Security Team.
>>>
>>> So far as I can tell, you're not a member of the Security Team, so
>>> this
>>> is incorrect.
>>
>> Sure, please find attached the fixed debdiff, as i'm not a member of
>> the
>> security team. I've also changed the distribution from stretch to
>> stretch-security.
> 
> Why? "stretch-security" is an appropriate distribution to use for
> uploads to the security archive, in which case you should be talking to
>  the Security Team, not us. Assuming you're still proposing an update
> via proposed-updates and a point release, "stretch" was correct.

Indeed, absolutely right. Updated version attached.

> 
> Regards,
> 
> Adam
> 

-- 
Guillaume Delacour

diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog
--- memcached-1.4.33/debian/changelog	2016-11-03 01:50:27.000000000 +0100
+++ memcached-1.4.33/debian/changelog	2017-07-25 00:38:52.000000000 +0200
@@ -1,3 +1,10 @@
+memcached (1.4.33-1+deb9u1) stretch; urgency=high
+
+  * Fix CVE-2017-9951 by checking the integer length of commands that adds or
+    replaces key/value pair
+
+ -- Guillaume Delacour <gui@iroqwa.org>  Tue, 25 Jul 2017 00:38:52 +0200
+
 memcached (1.4.33-1) unstable; urgency=medium
 
   * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706
diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch
--- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch	1970-01-01 01:00:00.000000000 +0100
+++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch	2017-07-25 00:38:52.000000000 +0200
@@ -0,0 +1,36 @@
+From: dormando <dormando@rydia.net>
+Date: Tue, 4 Jul 2017 00:32:39 -0700
+Subject: [PATCH] sanity check (CVE-2017-9951)
+Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167
+
+---
+ items.c     | 2 ++
+ memcached.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/items.c b/items.c
+index 637e5e745..83a2ea37d 100644
+--- a/items.c
++++ b/items.c
+@@ -368,6 +368,8 @@ void item_free(item *it) {
+ bool item_size_ok(const size_t nkey, const int flags, const int nbytes) {
+     char prefix[40];
+     uint8_t nsuffix;
++    if (nbytes < 2)
++        return false;
+ 
+     size_t ntotal = item_make_header(nkey + 1, flags, nbytes,
+                                      prefix, &nsuffix);
+diff --git a/memcached.c b/memcached.c
+index 0f0335795..a89df965d 100644
+--- a/memcached.c
++++ b/memcached.c
+@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) {
+ 
+         case conn_swallow:
+             /* we are reading sbytes and throwing them away */
+-            if (c->sbytes == 0) {
++            if (c->sbytes <= 0) {
+                 conn_set_state(c, conn_new_cmd);
+                 break;
+             }
diff -Nru memcached-1.4.33/debian/patches/series memcached-1.4.33/debian/patches/series
--- memcached-1.4.33/debian/patches/series	2016-08-21 18:48:58.000000000 +0200
+++ memcached-1.4.33/debian/patches/series	2017-07-25 00:38:52.000000000 +0200
@@ -1,3 +1,4 @@
 01_init_script_additions.patch
 04_add_init_retry.patch
 07_disable_tests.patch
+09_CVE-2017-9951.patch

Attachment: signature.asc
Description: OpenPGP digital signature