Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 625494 (CVE-2017-9951) - <net-misc/memcached-1.4.39: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705)
Summary: <net-misc/memcached-1.4.39: Heap-based buffer over-read in try_read_command f...
Status: RESOLVED FIXED
Alias: CVE-2017-9951
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-18 08:08 UTC by Agostino Sarubbo
Modified: 2018-11-25 00:58 UTC (History)
2 users (show)

See Also:
Package list:
=net-misc/memcached-1.4.39
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-07-18 08:08:19 UTC
From ${URL} :

The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison 
between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8705. 

References:

https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/
https://github.com/memcached/memcached/wiki/ReleaseNotes1439
https://groups.google.com/forum/message/raw?msg=memcached/ubGWrkmrr4E/nrm1SeVJAQAJ


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-07-27 16:50:41 UTC
It is ready for stablization, I'd target 1.4.39 and not 1.5.0 as 1.5.0 hasn't had much time.

We'll need the following stablereqs though.

alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-27 17:11:25 UTC
@arches, please stabilize.
Comment 3 Sergei Trofimovich gentoo-dev 2017-07-27 21:13:40 UTC
ia64 stable
Comment 4 Sergei Trofimovich gentoo-dev 2017-07-30 16:34:16 UTC
stable 1.4.39 for ppc/ppc64
Comment 5 Tobias Klausmann gentoo-dev 2017-07-31 11:37:52 UTC
Stable on amd64.
Comment 6 Markus Meier gentoo-dev 2017-08-08 20:41:14 UTC
arm stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2017-08-18 19:44:26 UTC
x86 stable
Comment 8 Tobias Klausmann gentoo-dev 2017-09-04 07:34:15 UTC
Stable on alpha.
Comment 10 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-09-25 15:26:57 UTC
so I guess we are just waiting on hppa then?
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-25 21:52:27 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #10)
> so I guess we are just waiting on hppa then?

Yes.
Comment 12 Sergei Trofimovich gentoo-dev 2018-01-28 12:53:35 UTC
commit 608512e3c86a80f941a9a9161a1af204035f6c1d
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Sat Jan 27 23:25:40 2018 +0100

    net-misc/memcached: stable 1.4.39 for sparc, bug #625494
Comment 13 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2018-02-14 03:07:52 UTC
hppa, a ping?
Comment 14 Sergei Trofimovich gentoo-dev 2018-03-14 21:58:55 UTC
commit 722a44f9273423e6296ef04a1d8c259deea333f1
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Tue Mar 13 17:07:34 2018 +0100

    net-misc/memcached: Stable for HPPA too.