Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279386 (CVE-2009-2415) - <net-misc/memcached-1.4.1: vlen integer overflows (CVE-2009-2415)
Summary: <net-misc/memcached-1.4.1: vlen integer overflows (CVE-2009-2415)
Status: RESOLVED FIXED
Alias: CVE-2009-2415
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.debian.org/security/2009/d...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-27 19:57 UTC by Robert Buchholz (RETIRED)
Modified: 2014-06-19 11:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
net-misc:memcached-1.4.1:20091020-113243.log (net-misc:memcached-1.4.1:20091020-113243.log,30.75 KB, text/plain)
2009-10-20 11:50 UTC, Markus Meier
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 19:57:46 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Ronald Volgers reported integer signedness vulnerabilities and additional analysis by Nico Golde yielded several integer overflows, leading to heap-based buffer overflows.

Upstream contacted, no patches yet.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-08-10 13:30:39 UTC
DSA 1853:

Ronald Volgers discovered that memcached, a high-performance memory object caching system, is vulnerable to several heap-based buffer overflows due to integer conversions when parsing certain length attributes. An attacker can use this to execute arbitrary code on the system running memcached (on etch with root privileges).
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-08-10 13:33:35 UTC
1.2.8 fix:
http://consoleninja.net/code/memcached/memcached-1.2.8_proper_vlen_fix.patch
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-08-11 05:43:41 UTC
Upstream has NOT yet published patches for the 1.3.x or 1.4.x series, which are also vulnerable to the issue

Additionally, they maintain that anybody exposing memcached to the Internet is out of their mind. It's a service to run on a strictly trusted network only.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-08-11 09:11:29 UTC
For reference in the GLSA, do you have an upstream statement confirming this? I have read so before but failed to find the recommendation to restrict access to the port.
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-12 16:09:38 UTC
CVE-2009-2415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2415):
  Multiple integer overflows in memcached 1.1.12 and 1.2.2 allow remote
  attackers to execute arbitrary code via vectors involving length
  attributes that trigger heap-based buffer overflows.

Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-08-30 08:08:19 UTC
Up to and including 1.4.0 are vulnerable as well.

1.4.1 was released by upstream today, and is in the tree now. You can file the stable request as you wish for it.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-09-28 02:46:55 UTC
Arches, please test and mark stable:
=net-misc/memcached-1.4.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-09-28 15:10:24 UTC
ppc64 done
Comment 9 Tobias Klausmann gentoo-dev 2009-09-28 19:49:55 UTC
Stable on alpha.
Comment 10 Jeroen Roovers gentoo-dev 2009-09-29 00:21:56 UTC
Stable for HPPA.
Comment 11 Markus Meier gentoo-dev 2009-09-29 11:52:20 UTC
amd64/x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-10-01 17:55:02 UTC
ia64/sparc stable
Comment 13 nixnut (RETIRED) gentoo-dev 2009-10-07 16:29:09 UTC
ppc stable
Comment 14 Markus Meier gentoo-dev 2009-10-20 11:50:35 UTC
Created attachment 207663 [details]
net-misc:memcached-1.4.1:20091020-113243.log

fails testsuite here on arm, which is a regression compared to latest stable:

net-misc/memcached-1.4.1 USE="test -debug -slabs-reassign"

Test Summary Report
-------------------
t/binary.t         (Wstat: 65280 Tests: 1311 Failed: 3)
  Failed tests:  1308-1310
  Non-zero exit status: 255
  Parse errors: Bad plan.  You planned 3312 tests but ran 1311.
Files=32, Tests=3312, 168 wallclock secs ( 4.46 usr  0.17 sys + 26.11 cusr  4.34 csys = 35.08 CPU)
Result: FAIL
make: *** [test] Error 1
 * 
 * ERROR: net-misc/memcached-1.4.1 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_test
 *             environment, line 3054:  Called die
 * The specific snippet of code:
 *       emake -j1 test || die "Failed testing"
 *  The die message:
 *   Failed testing

Portage 2.1.6.13 (default/linux/arm/2008.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.31 armv5tel)
=================================================================
System uname: Linux-2.6.31-armv5tel-Feroceon_88FR131_rev_1_-v5l-with-gentoo-2.0.1
Timestamp of tree: Fri, 09 Oct 2009 19:55:01 +0000
app-shells/bash:     4.0_p28
dev-lang/python:     2.6.2-r1
dev-python/pycrypto: 2.0.1-r8
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.5.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="arm"
CBUILD="armv5tel-softfloat-linux-gnueabi"
CFLAGS="-Os -march=armv5te -pipe"
CHOST="armv5tel-softfloat-linux-gnueabi"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-Os -march=armv5te -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl arm berkdb bzip2 cli cracklib crypt fortran gdbm gpm iconv isdnlog modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl ssl sysfs tcpd test unicode xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint mach64 mga nv r128 radeon savage sis tdfx trident 
        vga voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 15 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-10-20 20:19:30 UTC
ARM failure filed upstream:
http://code.google.com/p/memcached/issues/detail?id=100

Just waiting for SH as well.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-12-11 18:27:11 UTC
sh stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2010-04-24 19:41:17 UTC
arm stable for 1.4.5
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 16:42:49 UTC
GLSA request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-06-15 00:47:57 UTC
This issue was resolved and addressed in
 GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml
by GLSA coordinator Chris Reffett (creffett).
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-06-19 11:49:44 UTC
This issue was resolved and addressed in
 GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml
by GLSA coordinator Chris Reffett (creffett).