From $URL : We got a report about a DoS in memcached when run with -vv (verbose mode) and a request to delete a key is sent to the server (via memrm). Because memcached doesn't null terminate the keys as it prints them, fprintf may run off the end of the buffer. This isn't a very significant issue (even without SSP/FORTIFY_SOURCE if you could do something more malicious, memcached won't run as root). Also note the docs indicate that memcached should only be accessible via trusted users/hosts and not the internet at large, so the exposure should be minimal. References: https://bugzilla.redhat.com/show_bug.cgi?id=895054 https://code.google.com/p/memcached/issues/detail?id=306 https://code.google.com/p/memcached/issues/attachmentText?id=306&aid=3060004000&name=0001-Fix-buffer-overrun-when-logging-key-to-delete-in-bin.patch&token=3GEzHThBL5cxmUrsYANkW03RrNY%3A1358179503096
Note that the patch that ago linked doesn't cover all instances of this overrun, see the bug report. Upstream hasn't released a fix yet.
CVE-2013-0179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0179): The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr.
Maintainers, this looks like it is fixed in 1.4.17, I am adding it to existing GLSA. Please advise if otherwise.
This issue was resolved and addressed in GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml by GLSA coordinator Chris Reffett (creffett).