[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#873758: marked as done (stretch-pu: package memcached/1.4.33-1)

Your message dated Sun, 3 Jun 2018 15:19:15 +0200
with message-id <20180603131915.GA32454@eldamar.local>
and subject line Re: Bug#873758: stretch-pu: package memcached/1.4.33-1
has caused the Debian Bug report #873758,
regarding stretch-pu: package memcached/1.4.33-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
873758: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873758
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

The attached patch fix CVE-2017-9951 which has been not fixed via a DSA,
as discussed with Salvatore Bonaccorso: https://bugs.debian.org/868701.

- -- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-87-generic (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=fr_FR (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCAAtFiEEiG7UsIsv14Zirt0ImYZRi5qqoKUFAlmnEx4PHGd1aUBpcm9x
d2Eub3JnAAoJEJmGUYuaqqClC0UP/RYavmsYLSsLfTibnVeHUZfMx5AKLkspXjyi
o9tATubFWcE7wU5eykjXxlArA4yISTTuC5Fq4Tl0tw/SWGUYCb6fK6qR/9nxSHhW
6cL+h1ywG473wSPbtuNxLIxKJuGVJEpi+arDMeTPnYG3Qy/aKfvFplxFOJ32A72T
BKrN9E/EqthIHIBz1R482X5ktM1iZldvWOKkmw9ca+nVcHnVBDF7JGKtAxYBQwxz
e4ZpiBNttnAapsdrSjsqM1lC6IuCpxJHCqtZvh9FI86JWtNmjO7xpN62YliorMEm
jYoggCrmL8n+RL1YbPwjCpoAHFHgG5qPBKnVRvULb0+A9mY6OI52rg/f7bnaz7Cv
NdOxJNYSaOJq1oVZOiDyrxSdgbBgSxKmDeorpSutTG1FRBKjmknQNy5Fbrn3NSXi
esYBzg5KGxlUyNVkTC46qkBv/SOn7z6c0p94G+2OYybhwcB9QQqC+PmKI/OeJKaE
stEAmgf0wZ2vR5kVqjmV7TtnSNeHWCPzV4WbXPk5ge4kCvDmr+HGnUKnlrX9Id16
Dw0o7TtI+zuoq30fwZQyPQSgI0gThJ11rj08x1josFKIiJqg0LjGE02mNv+CAUl3
+hh2HQ0km93ZhX26c/8S1aV+mZxwgNeYRTomjTcs7PbxLkO8aR+DU7Vu6y/4kXxe
kO2I4bX4
=AryN
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index 92bce48..c86b8f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+memcached (1.4.33-1+deb9u1) stretch; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2017-9951 by checking the integer length of commands that adds or
+    replaces key/value pair
+
+ -- Guillaume Delacour <gui@iroqwa.org>  Tue, 25 Jul 2017 00:38:52 +0200
+
 memcached (1.4.33-1) unstable; urgency=medium
 
   * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706
diff --git a/debian/patches/09_CVE-2017-9951.patch b/debian/patches/09_CVE-2017-9951.patch
new file mode 100644
index 0000000..694ba42
--- /dev/null
+++ b/debian/patches/09_CVE-2017-9951.patch
@@ -0,0 +1,36 @@
+From: dormando <dormando@rydia.net>
+Date: Tue, 4 Jul 2017 00:32:39 -0700
+Subject: [PATCH] sanity check (CVE-2017-9951)
+Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167
+
+---
+ items.c     | 2 ++
+ memcached.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/items.c b/items.c
+index 637e5e745..83a2ea37d 100644
+--- a/items.c
++++ b/items.c
+@@ -368,6 +368,8 @@ void item_free(item *it) {
+ bool item_size_ok(const size_t nkey, const int flags, const int nbytes) {
+     char prefix[40];
+     uint8_t nsuffix;
++    if (nbytes < 2)
++        return false;
+ 
+     size_t ntotal = item_make_header(nkey + 1, flags, nbytes,
+                                      prefix, &nsuffix);
+diff --git a/memcached.c b/memcached.c
+index 0f0335795..a89df965d 100644
+--- a/memcached.c
++++ b/memcached.c
+@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) {
+ 
+         case conn_swallow:
+             /* we are reading sbytes and throwing them away */
+-            if (c->sbytes == 0) {
++            if (c->sbytes <= 0) {
+                 conn_set_state(c, conn_new_cmd);
+                 break;
+             }
diff --git a/debian/patches/series b/debian/patches/series
index 8cedcba..af0b55e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 01_init_script_additions.patch
 04_add_init_retry.patch
 07_disable_tests.patch
+09_CVE-2017-9951.patch

--- End Message ---
--- Begin Message --- 
Hi,

On Sat, Mar 10, 2018 at 09:13:59AM +0100, Salvatore Bonaccorso wrote:
> Hi Guillaume,
> 
> On Thu, Mar 08, 2018 at 02:10:10PM +0100, Guillaume Delacour wrote:
> > Hi,
> > 
> > I'm sorry i haven't find a sponsor to upload the security fix for
> > CVE-2017-9951 yet.  There is another fix that need to be uploaded to
> > security: CVE-2018-1000115:
> 
> I'm sorry to hear that was blocked on not finding a sponsor. If you
> get an ack from SRM for the updated change and you cannot do the
> upload via your regular sponsors please ping me directly.
> 
> It's now to late for 9.4 but preferably we should have it updated for
> the next point release.

This bug can be closed, the changes as proposed by Guillaume, will be
included in the memcached DSA to address CVE-2018-1000127.

Regards,
Salvatore

--- End Message ---
Reply to: