Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662888 (CVE-2018-1000127) - <net-misc/memcached-1.4.39: integer overflow in items.c:item_free() (CVE-2018-1000127)
Summary: <net-misc/memcached-1.4.39: integer overflow in items.c:item_free() (CVE-2018...
Status: RESOLVED FIXED
Alias: CVE-2018-1000127
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-05 22:56 UTC by GLSAMaker/CVETool Bot
Modified: 2018-09-23 15:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-05 22:56:14 UTC
CVE-2018-1000127 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000127):
  memcached version prior to 1.4.37 contains an Integer Overflow vulnerability
  in items.c:item_free() that can result in data corruption and deadlocks due
  to items existing in hash table being reused from free list. This attack
  appear to be exploitable via network connectivity to the memcached service.
  This vulnerability appears to have been fixed in 1.4.37 and later.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-08-05 22:57:46 UTC
@ Maintainer(s): Please cleanup and drop vulnerable version =net-misc/memcached-1.4.33!
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2018-08-06 16:19:25 UTC
sure that's the correct CVE? seems like we are adding another digit every year
Comment 3 Larry the Git Cow gentoo-dev 2018-08-06 16:20:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c98a5717c9b92ec1cf9921dd5f8065791dffff89

commit c98a5717c9b92ec1cf9921dd5f8065791dffff89
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2018-08-06 16:19:46 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2018-08-06 16:20:03 +0000

    net-misc/memcached: remove old for CVE-2018-1000127
    
    Bug: https://bugs.gentoo.org/662888
    Package-Manager: Portage-2.3.43, Repoman-2.3.10

 net-misc/memcached/Manifest                |  5 --
 net-misc/memcached/memcached-1.4.33.ebuild | 83 --------------------------
 net-misc/memcached/memcached-1.5.5.ebuild  | 95 ------------------------------
 net-misc/memcached/memcached-1.5.6.ebuild  | 95 ------------------------------
 net-misc/memcached/memcached-1.5.7.ebuild  | 95 ------------------------------
 net-misc/memcached/memcached-1.5.8.ebuild  | 95 ------------------------------
 6 files changed, 468 deletions(-)
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-09-23 15:44:05 UTC
GLSA vote: No