memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function

Debian Bug report logs - #868701
memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function

Date: Mon, 17 Jul 2017 22:34:23 +0200

Source: memcached
Version: 1.4.33-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for memcached.

CVE-2017-9951[0]:
| The try_read_command function in memcached.c in memcached before 1.4.39
| allows remote attackers to cause a denial of service (segmentation
| fault) via a request to add/set a key, which makes a comparison between
| signed and unsigned int and triggers a heap-based buffer over-read.
| NOTE: this vulnerability exists because of an incomplete fix for
| CVE-2016-8705.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9951
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9951

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 868701@bugs.debian.org (full text, mbox, reply):

From: Guillaume Delacour <gui@iroqwa.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 868701@bugs.debian.org

Subject: Re: Bug#868701: memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function

Date: Mon, 24 Jul 2017 23:53:27 +0200

[Message part 1 (text/plain, inline)]

On Mon, Jul 17, 2017 at 10:34:23PM +0200, Salvatore Bonaccorso wrote:
> 
> Please adjust the affected versions in the BTS as needed.

Please find attached the debdiff for Debian 8 Jessie.
Also, you can find a little test case (and results) without (CVE-2017-9951_exploit.log) 
and with the fix (CVE-2017-9951_fixed.log). I've build and test it on a clean jessie schroot.

> 
> Regards,
> Salvatore
> 

-- 
Guillaume Delacour

[CVE-2017-9951.debdiff (text/plain, attachment)]

[CVE-2017-9951_exploit.py (text/x-python, attachment)]

[CVE-2017-9951_exploit.log (text/plain, attachment)]

[CVE-2017-9951_fixed.log (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 868701@bugs.debian.org (full text, mbox, reply):

From: Guillaume Delacour <gui@iroqwa.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 868701@bugs.debian.org

Subject: Re: Bug#868701: memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function

Date: Tue, 25 Jul 2017 01:16:26 +0200

[Message part 1 (text/plain, inline)]

On Mon, Jul 17, 2017 at 10:34:23PM +0200, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed.
> 

Please find attached the debdiff for Debian 9 Stretch.
Also, you can find a little test case (and results) without (CVE-2017-9951_1.4.33.log) 
and with the fix (CVE-2017-9951_1.4.33_fixed.log). I've build and test it on a clean stretch schroot.

-- 
Guillaume Delacour

[CVE-2017-9951_stretch.debdiff (text/plain, attachment)]

[CVE-2017-9951_1.4.33.log (text/plain, attachment)]

[CVE-2017-9951_1.4.33_fixed.log (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #26 received at 868701@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Guillaume Delacour <gui@iroqwa.org>, 868701@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#868701: memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function

Date: Tue, 25 Jul 2017 21:28:02 +0200

Hi Guillaume!

On Tue, Jul 25, 2017 at 01:16:26AM +0200, Guillaume Delacour wrote:
> On Mon, Jul 17, 2017 at 10:34:23PM +0200, Salvatore Bonaccorso wrote:
> > Please adjust the affected versions in the BTS as needed.
> > 
> 
> Please find attached the debdiff for Debian 9 Stretch.
> Also, you can find a little test case (and results) without
> (CVE-2017-9951_1.4.33.log) 
> and with the fix (CVE-2017-9951_1.4.33_fixed.log). I've build and
> test it on a clean stretch schroot.

Thanks for your work! I think the issue on its own would not warrant a
DSA. Can you fix the issue please via a point release? Some guide can
be found here:

https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

I did quickly thouggh skim over your debdiffs. When you propose the
debdiff to the stable release manager make sure to adjust the
targetting distribution in the changelog, that is 'stretch' for
1.4.33-1+deb9u1, and 'jessie' for 1.4.21-1.1+deb8u2 (rather than
unstable).

Hope this helps and thanks for your work!

Regards,
Salvatore

Message #31 received at 868701-close@bugs.debian.org (full text, mbox, reply):

From: Guillaume Delacour <gui@iroqwa.org>

To: 868701-close@bugs.debian.org

Subject: Bug#868701: fixed in memcached 1.5.0-1

Date: Sat, 29 Jul 2017 14:52:09 +0000

Source: memcached
Source-Version: 1.5.0-1

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868701@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillaume Delacour <gui@iroqwa.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 24 Jul 2017 01:13:20 +0200
Source: memcached
Binary: memcached
Architecture: source amd64
Version: 1.5.0-1
Distribution: unstable
Urgency: medium
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Guillaume Delacour <gui@iroqwa.org>
Description:
 memcached  - high-performance memory object caching system
Closes: 853544 868701 869479
Changes:
 memcached (1.5.0-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #853544, #869479)
    + Fix CVE-2017-9951 (Closes: #868701)
    + Automated slab rebalancing
   * Remove ship mc_slab_mover script as upstream don't ship it anymore
   * Refresh 01_init_script_additions.patch (status implemented upstream)
   * Refresh 04_add_init_retry.patch
   * Bumped policy version to 4.0.0 (no changes needed)
Checksums-Sha1:
 d9e79276ae265faf19d2be66acd0486ccd36ab75 2045 memcached_1.5.0-1.dsc
 e12af93e63c05ab7e89398e4cfd0bfc7b7bff1c5 404327 memcached_1.5.0.orig.tar.gz
 fe35652cd1c6a2f9b0000db895fe180ae5554aeb 13008 memcached_1.5.0-1.debian.tar.xz
 53d4687bb72652857dfee0167ff65569b284ea88 209534 memcached-dbgsym_1.5.0-1_amd64.deb
 dfa2f6612814bef3ece1925ec9c15596060a56b4 6095 memcached_1.5.0-1_amd64.buildinfo
 31f9490b9ef6837345471a338a1152960a4de7ae 119530 memcached_1.5.0-1_amd64.deb
Checksums-Sha256:
 d2665ce37da045284a410d37a5f6f5c082cb75048fa65fac94e40708371356d8 2045 memcached_1.5.0-1.dsc
 c001f812024bb461b5e4d7d0506daab63dff9614eea26f46536c3b7e1e601c32 404327 memcached_1.5.0.orig.tar.gz
 fc594e62b7b8058ed2e8b52726634000d55194456398d5fb754211fab7366a13 13008 memcached_1.5.0-1.debian.tar.xz
 61711f968b6c8f15d546e8434294c6435eba914a4b11e1ddd1887836c4081858 209534 memcached-dbgsym_1.5.0-1_amd64.deb
 4ad5f94a1062fb9f75e54d7042b4023a5e0e1091acf571ac985be4d8422c87bc 6095 memcached_1.5.0-1_amd64.buildinfo
 e738a9a7b25228a18be6f09f74233436fa08db69af63304518e72c3f6c0d27ff 119530 memcached_1.5.0-1_amd64.deb
Files:
 5798dee5ef45dda4aa2ab145cb9eba58 2045 web optional memcached_1.5.0-1.dsc
 81326513f60d7ba482f8131975cd55ae 404327 web optional memcached_1.5.0.orig.tar.gz
 e1e6bcc34b773327fbd615abfa716c34 13008 web optional memcached_1.5.0-1.debian.tar.xz
 de3eace24dcc4ff235aa3f348562b8d9 209534 debug extra memcached-dbgsym_1.5.0-1_amd64.deb
 955d48b6342654dfda42d99f524b8491 6095 web optional memcached_1.5.0-1_amd64.buildinfo
 fa92afc3473d4c5b21c4e0be10846a47 119530 web optional memcached_1.5.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Comment: Signed by Ana Guerrero

iQIzBAEBCAAdFiEEejPsqhiLlvJ8kXKIs0ZPiWqhWUgFAll8kDIACgkQs0ZPiWqh
WUg67Q//cFVu0kg17KyfRITnUpr/TyHlSuha3JdB5MTT7ikRLt7PGLNXoDsKqrDF
ppXF34yUxKxZX/Ovngo5HsSOBzSkuGovOmNAuKI9hGaYUIaRRizzxSYnTQr/wH4o
PRw4CZgKhbCHLLmjpOYFM8kua6hVgyOElGEcEgNwkpur6wN1zzUmtCktvRWBr7a8
v9Adr0eOzNDrcKDHf0rPpsrCVL2UArsbY4WAwA8f0wc2AGqNSyvOhdS5yNtcX/3q
mbFAdRHrhAJvDaTKwZKkZZwBq+QrgWVmzz+SAqqlIYFMlMqwN7lc3Cb3Aff4aZlc
B+Pi3d9Ge/RoczIXlpashAD4WPv0suCDDuYTOCL+pT2o9ET+RC9mfBpxax7Ttmwv
71MWv9MKr/G5ky5JjRCUNPg5zloN8rWhn8X9WEmZrqLi3QXSTP6Sg3zeZT82nIjI
MNp8QHuGgTtlIJJOFTRWmWi0P+jlPsbpd9q+7o6Uth8uSHxAOAZuXLsZPkbcrKPe
Hob61QySAOP707r5ii5mnBLYiCbsKh+F6JbF+qK6gHnz04UlkN8cTtYDhjiv+zIf
p34q17qeMbRoVglkyYN00eRCJdLLfl/PLKhXzuj1M8VhFJ0GxU/THNcvcPIcPyYP
Dfs3DXaJSg99I7ySaykKoxzIXvLRWkbySRBcqOP6PpD5k0rq9B8=
=jHdO
-----END PGP SIGNATURE-----

Message #40 received at 868701-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 868701-close@bugs.debian.org

Subject: Bug#868701: fixed in memcached 1.4.33-1+deb9u1

Date: Tue, 12 Jun 2018 22:04:04 +0000

Source: memcached
Source-Version: 1.4.33-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868701@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 11:37:55 +0200
Source: memcached
Binary: memcached
Architecture: source
Version: 1.4.33-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 868701 894404
Description: 
 memcached  - high-performance memory object caching system
Changes:
 memcached (1.4.33-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
 .
   [ Guillaume Delacour ]
   * Fix CVE-2017-9951 by checking the integer length of commands that adds or
     replaces key/value pair (Closes: #868701)
   * Fix CVE-2018-1000115
     + debian/patches/10_CVE-2018-1000115.patch disable listening on UDP port
       by default (from Ubuntu)
     + debian/NEWS add explanation and document how to re-enable UDP if
       necessary.
 .
   [ Salvatore Bonaccorso ]
   * Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404)
Checksums-Sha1: 
 dcf4313a69410c9c2f911e96dfe3c250480cdd1a 2203 memcached_1.4.33-1+deb9u1.dsc
 e343530c55946ccbdd78c488355b02eaf90b3b46 389813 memcached_1.4.33.orig.tar.gz
 b47209f2fe7cf3421c7c8af47fdd8b285fff25d9 15924 memcached_1.4.33-1+deb9u1.debian.tar.xz
Checksums-Sha256: 
 a739f2e38eb01c38108da37febf9958aac020ea090db83c4fc1a37e43cb25356 2203 memcached_1.4.33-1+deb9u1.dsc
 83726c8d68258c56712373072abb25a449c257398075a39ec0867fd8ba69771d 389813 memcached_1.4.33.orig.tar.gz
 9f15cacc3a2b7cbbb73aa681325e078e4de066cc65c07c4b572ab43132b67171 15924 memcached_1.4.33-1+deb9u1.debian.tar.xz
Files: 
 9e5331a297dc4771f5e45d410d26a04c 2203 web optional memcached_1.4.33-1+deb9u1.dsc
 2d7f6476283cd36e21e521d901d37a8f 389813 web optional memcached_1.4.33.orig.tar.gz
 d36d194545c3cfcd799411fa0e2ec0a9 15924 web optional memcached_1.4.33-1+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsTwqpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E9j8P/jLrczwmr72EyXHcAoK+eFS29cnOGcTd
ta2PFh0bktqfNYUR2uP8BNekQkds1S/dI/Dlo4+qrQyuyLTbEXV00NgMCOm7vh+M
8dLa4uWBZYJtnbMDQ0kwL/ExSbPKL7xKzlZ82/eRBsmTA0aIUbCgSe33azPjwSaW
cHdrqWzlyv+C5ClzatyFXHY9kqLQbszU35P2I59IcHo2mqR6x4AsKYH0iDSIc3lj
+2TKZf3HcUg4s0zpwwEs/41LyYWU1LcToyXwynHAElTEtDQl5YO6yrKkgd+ZB2We
4GAyRWkEQHBMYEO9kSQagBXbaLm/07/+89JJPTrBg1WikMVdxJV8GIcX7qRUNN2f
PVv5j8DD/NEDrDbpjEOltWp4eI1kEVjOSVjtiMomxKqVyQx33Bp6tQLGedpBovd5
Q8xgNAleAUPW350W0gwaT1JtaCDegcr8vAebalzqWbHawgWX0/FqXVommm6sTg4I
UzhaPdvZEfG4Yll0TVygSmqdXiVbz7SmJLu082STBaTF4mSJkFnCH6O9rekEtkUh
/EZDbAtfZ3Ac0hTtp+MfXQKiCpe6ZeM2h4K+xcV4oxWogpvWnHGXryq5PGxFSUoY
7P6wf2qkmgQUjqpShqYMpMKWMCKTuJt8DX5wS2pLGiEfKsD8wV8Bfq5DkoF0+nm0
LpW0wvmN0X3T
=C+iC
-----END PGP SIGNATURE-----

Message #45 received at 868701-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 868701-close@bugs.debian.org

Subject: Bug#868701: fixed in memcached 1.4.21-1.1+deb8u2

Date: Sun, 17 Jun 2018 18:03:42 +0000

Source: memcached
Source-Version: 1.4.21-1.1+deb8u2

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868701@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 15:21:23 +0200
Source: memcached
Binary: memcached
Architecture: source
Version: 1.4.21-1.1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 868701 894404
Description: 
 memcached  - high-performance memory object caching system
Changes:
 memcached (1.4.21-1.1+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Heap-based buffer over-read in try_read_command function (CVE-2017-9951)
     (Closes: #868701)
   * disable UDP port by default (CVE-2018-1000115)
   * debian/NEWS: Add explanation and document how to re-enable UDP if
     necessary
   * Don't overflow item refcount on get (CVE-2018-1000127) (Closes: #894404)
Checksums-Sha1: 
 6901d63d584bde6a11f7d422bab6712d2696bf89 2194 memcached_1.4.21-1.1+deb8u2.dsc
 2016df8d8b356050e61fb31b7a672b22977a5aaa 17396 memcached_1.4.21-1.1+deb8u2.debian.tar.xz
Checksums-Sha256: 
 1708eeb259b35d9240bed705243958cf0794f056e8077c700fb0040b8b17cfa0 2194 memcached_1.4.21-1.1+deb8u2.dsc
 04cbe5dc6f9bafc493a0a73ca32fabe4e3428c85d9ea9b3e2ae1206005c0096c 17396 memcached_1.4.21-1.1+deb8u2.debian.tar.xz
Files: 
 6c6e7171237601151b0f900dd19a0cf7 2194 web optional memcached_1.4.21-1.1+deb8u2.dsc
 fbb18fe88d8e9fc41a996845593326af 17396 web optional memcached_1.4.21-1.1+deb8u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsT7qxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EShUQAIoamPmJD8hR1YtuR2do7V/+7mFi2JfP
DUPiX7xL3h//NScynuybporLRZU6/aDH2njxYt3AiJ+Y3SUwiKiF/bbyFaHF9S/+
5IERDKqYEQgNaYeNW5GS8dU/XWmUBBUUf/3Wm091AwDyIOxSAYAZ4oTlem1xNtkE
GNDNqOQbKdAEjieCChEpkUDTh4Nbm4bLQFZ/7PIicBuAq7lqqI4IXyyuMckdm6HC
7J+Qaa02roYMy8SnwkRuC3GZnOlR+XrsSExU5jL8dILda+sn+aY1JlCNID+VwPb/
C5G22U+4HevdudCg9xST81yrv0JfLuD600J0EEX9aPYoxSF5La4YNVZAQ0koJbLl
Skn/jz7X3IeY0p/unTktXVlzU0agSKQIYqVRu7urbV7PD8TkwsuclR4yLydj4TxE
phN+UytX78BEjB/AeST71r3wSaKrjUDIb+PBDvFRa/EpKjpHCbAagevd2CigdXyr
zd1c3J2cTpYvChWoBqdkSMbQqHXfroWML7xUcqQR73OGyVZx97C/Vyw9Ipf1o1gj
x70KcuEyvzlNjuodONYbtsVtgTS+LSEIAvxuByxknpj+Z1I38RgUPn5vXrmvG879
P6mvWSh6VYVZUFT6amPVfmBe2bJfxUaDuYq7wkY9KwMyvKIX1Sw6Jl+vauoHWxSP
ZCftmTrnTVBk
=rCFr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.