aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-12-03 12:28:12 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-12-03 12:28:49 +0000
commitdeded5f6427a47a48eac3311151c147dab49cdd6 (patch)
treec6e916624bd9f60abd4ab0317d88209473b68681
parent8d663144da2b4cac4c6312be9111b938df121d75 (diff)
downloadaports-deded5f6427a47a48eac3311151c147dab49cdd6.tar.bz2
aports-deded5f6427a47a48eac3311151c147dab49cdd6.tar.xz
main/memcached: security workaround for CVE-2011-4971
ref #2451
-rw-r--r--main/memcached/APKBUILD6
-rw-r--r--main/memcached/CVE-2011-4971.patch47
2 files changed, 52 insertions, 1 deletions
diff --git a/main/memcached/APKBUILD b/main/memcached/APKBUILD
index 2ed54a1954..cb98ec62f1 100644
--- a/main/memcached/APKBUILD
+++ b/main/memcached/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=memcached
pkgver=1.4.15
-pkgrel=1
+pkgrel=2
pkgdesc="Distributed memory object caching system"
url="http://memcached.org"
arch="all"
@@ -13,6 +13,7 @@ makedepends="$depends_dev"
install="$pkgname.pre-install"
subpackages="$pkgname-dev $pkgname-doc"
source="http://memcached.googlecode.com/files/$pkgname-$pkgver.tar.gz
+ CVE-2011-4971.patch
$pkgname.confd
$pkgname.initd"
@@ -49,11 +50,14 @@ package() {
}
md5sums="36ea966f5a29655be1746bf4949f7f69 memcached-1.4.15.tar.gz
+e73c5651b37f54020bea00a4318cef2e CVE-2011-4971.patch
9d7396bf77c72ca3845118424cd1898b memcached.confd
cc344c9aead89042ca2fbf45cd3930a6 memcached.initd"
sha256sums="169721ab7a7531add6ae9f6b14b6b5641725fe0b1f0bdf5c3a4327725901e2b4 memcached-1.4.15.tar.gz
+0dbb2a8425e051f21a4f767055b82b6294ecf1d22082aeb24f6688bbc9870aed CVE-2011-4971.patch
d8648ea385035632b209acfae27b0a46ec446e58d37de43874d2a41ba13b6923 memcached.confd
e4b6415c5501963d2ce421aab9d595736091bc895b8f3762e746593f7d736792 memcached.initd"
sha512sums="53a9d7c109db01c6d345c79bddcbffae4b5b113244782e869d16f2b704c07bee1d8d9270c54065c06ed878e641a68c666c02ba6d4e81f83d771ae27a2b91e511 memcached-1.4.15.tar.gz
+a1f6ece8e3b07509aadbd24c3420cb4400a47c6f046282243a6e295d041ff8f84ff2de86e657cb233199259cca63360e03b173a5abff0d67789eef91847be5eb CVE-2011-4971.patch
059c16613648bb46ec41e1cab08033cafb7a75c71e9cf961d1e1bfa1219e17a4f528555708fc29d8eedcbd662199c32d7bc5d8ba4418bcabd8e30239bbc8e36c memcached.confd
65782982faaa8966ae0e1335ae367db1c65a94b5e218dfb1245e9d5e3b03ed42234c8023e6f6af13ba06bc6a5f25be5e34b4c84f4fd67805df280c94315c6a23 memcached.initd"
diff --git a/main/memcached/CVE-2011-4971.patch b/main/memcached/CVE-2011-4971.patch
new file mode 100644
index 0000000000..fc02be8686
--- /dev/null
+++ b/main/memcached/CVE-2011-4971.patch
@@ -0,0 +1,47 @@
+Issue 192: Crash when sending specially crafted packet
+Author: Christos Tsantilas <christos@chtsanti.net>
+
+This is an unsigned to signed integers conversion problem.
+Inside the following functions:
+ process_bin_sasl_auth
+ process_bin_complete_sasl_auth
+ process_bin_update
+ process_bin_append_prepend
+
+there is the following or a similar statement:
+ int vlen = c->binary_header.request.bodylen - nkey;
+
+The c->binary_header.request.bodylen is an unsigned int which if it is bigger
+than the INT_MAX and converted to a signed int will result to a negative number
+causing segfaults to memcached.
+The c->binary_header.request.bodylen is the request body length defined by
+the client request. Random bytes sent to the memcached may interpeted
+as a normal request with huge body data.
+This patch just add a check and reject requests which report huge body data.
+
+
+--- memcached-1.4.15.orig/memcached.c 2012-09-03 21:23:23.000000000 +0300
++++ memcached-1.4.15/memcached.c 2013-11-26 14:22:28.206370577 +0200
+@@ -3446,6 +3446,22 @@
+ return -1;
+ }
+
++ /*
++ issue #192:
++ c->binary_header.request.bodylen is an unsigned int but it is
++ used in many places as a signed int.
++ Add a check here to avoid bad integer type conversions which
++ may cause crashes to memcached.
++ */
++ if (c->binary_header.request.bodylen > INT_MAX) {
++ if (settings.verbose) {
++ fprintf(stderr, "Invalid request body length: %u\n",
++ c->binary_header.request.bodylen);
++ }
++ conn_set_state(c, conn_closing);
++ return -1;
++ }
++
+ c->msgcurr = 0;
+ c->msgused = 0;
+ c->iovused = 0;