Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 268158 (CVE-2009-1255) - <net-misc/memcached-1.2.8 Information disclosure (CVE-2009-{1255,1494})
Summary: <net-misc/memcached-1.2.8 Information disclosure (CVE-2009-{1255,1494})
Status: RESOLVED FIXED
Alias: CVE-2009-1255
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://code.google.com/p/memcachedb/s...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 271246
Blocks:
  Show dependency tree
 
Reported: 2009-05-01 19:43 UTC by Alex Legler (RETIRED)
Modified: 2009-07-27 10:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 19:43:05 UTC 
CVE-2009-1255 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1255):
  The process_stat function in (1) Memcached before 1.2.8 and (2)
  MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in
  response to a stats maps command and (b) memory-allocation statistics
  in response to a stats malloc command, which allows remote attackers
  to obtain sensitive information such as the locations of memory
  regions, and defeat ASLR protection, by sending a command to the
  daemon's TCP port.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 19:43:50 UTC 
Robin, can we go stable with 1.2.8?
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 20:41:10 UTC 
CVE-2009-1494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1494):
  The process_stat function in Memcached 1.2.8 discloses
  memory-allocation statistics in response to a stats malloc command,
  which allows remote attackers to obtain potentially sensitive
  information by sending this command to the daemon's TCP port.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-05-25 22:04:23 UTC 
1.3.3-r1 should go to stable. Want the stablereq in this bug, or in a separate one?

I'd rank this exploit as fairly low priority, as memcached is meant for use on internal networks only. It would be far more destructive for the attacker to simply flush the cache.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-05-26 00:56:31 UTC 
Usually we'd handle stabilization on this bug. It's easier to follow for us and arches.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-07-18 17:18:48 UTC 
pppc/ppc64: please see the blocking bug
Comment 6 nixnut (RETIRED) gentoo-dev 2009-07-19 16:11:40 UTC 
memcached-1.3.3-r2 stabled on ppc
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-07-26 12:40:37 UTC 
ppc64 done
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-07-26 18:15:33 UTC 
rbu: all arches stable
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 10:28:26 UTC 
GLSA decision. Upstream is not too clear about the fact that access to the memcached port should be restrcicted. On the other hand, I suspect if unprivileged users were able to retrieve cached object via that port, other data could be disclosed as well. Since the impact is the defeat of ASLR, but not an immediate compromise, I vote NO.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-27 10:35:29 UTC 
No, too. Closing.