** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Ronald Volgers reported integer signedness vulnerabilities and additional analysis by Nico Golde yielded several integer overflows, leading to heap-based buffer overflows. Upstream contacted, no patches yet.
DSA 1853: Ronald Volgers discovered that memcached, a high-performance memory object caching system, is vulnerable to several heap-based buffer overflows due to integer conversions when parsing certain length attributes. An attacker can use this to execute arbitrary code on the system running memcached (on etch with root privileges).
1.2.8 fix: http://consoleninja.net/code/memcached/memcached-1.2.8_proper_vlen_fix.patch
Upstream has NOT yet published patches for the 1.3.x or 1.4.x series, which are also vulnerable to the issue Additionally, they maintain that anybody exposing memcached to the Internet is out of their mind. It's a service to run on a strictly trusted network only.
For reference in the GLSA, do you have an upstream statement confirming this? I have read so before but failed to find the recommendation to restrict access to the port.
CVE-2009-2415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2415): Multiple integer overflows in memcached 1.1.12 and 1.2.2 allow remote attackers to execute arbitrary code via vectors involving length attributes that trigger heap-based buffer overflows.
Up to and including 1.4.0 are vulnerable as well. 1.4.1 was released by upstream today, and is in the tree now. You can file the stable request as you wish for it.
Arches, please test and mark stable: =net-misc/memcached-1.4.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
ppc64 done
Stable on alpha.
Stable for HPPA.
amd64/x86 stable
ia64/sparc stable
ppc stable
Created attachment 207663 [details] net-misc:memcached-1.4.1:20091020-113243.log fails testsuite here on arm, which is a regression compared to latest stable: net-misc/memcached-1.4.1 USE="test -debug -slabs-reassign" Test Summary Report ------------------- t/binary.t (Wstat: 65280 Tests: 1311 Failed: 3) Failed tests: 1308-1310 Non-zero exit status: 255 Parse errors: Bad plan. You planned 3312 tests but ran 1311. Files=32, Tests=3312, 168 wallclock secs ( 4.46 usr 0.17 sys + 26.11 cusr 4.34 csys = 35.08 CPU) Result: FAIL make: *** [test] Error 1 * * ERROR: net-misc/memcached-1.4.1 failed. * Call stack: * ebuild.sh, line 49: Called src_test * environment, line 3054: Called die * The specific snippet of code: * emake -j1 test || die "Failed testing" * The die message: * Failed testing Portage 2.1.6.13 (default/linux/arm/2008.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.31 armv5tel) ================================================================= System uname: Linux-2.6.31-armv5tel-Feroceon_88FR131_rev_1_-v5l-with-gentoo-2.0.1 Timestamp of tree: Fri, 09 Oct 2009 19:55:01 +0000 app-shells/bash: 4.0_p28 dev-lang/python: 2.6.2-r1 dev-python/pycrypto: 2.0.1-r8 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.5.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="arm" CBUILD="armv5tel-softfloat-linux-gnueabi" CFLAGS="-Os -march=armv5te -pipe" CHOST="armv5tel-softfloat-linux-gnueabi" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-Os -march=armv5te -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl arm berkdb bzip2 cli cracklib crypt fortran gdbm gpm iconv isdnlog modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl ssl sysfs tcpd test unicode xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint mach64 mga nv r128 radeon savage sis tdfx trident vga voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
ARM failure filed upstream: http://code.google.com/p/memcached/issues/detail?id=100 Just waiting for SH as well.
sh stable
arm stable for 1.4.5
GLSA request filed.
This issue was resolved and addressed in GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml by GLSA coordinator Chris Reffett (creffett).