main/memcached: security workaround for CVE-2011-4971

ref #2451

2 files changed, 52 insertions, 1 deletions

diff --git a/main/memcached/APKBUILD b/main/memcached/APKBUILD
index 2ed54a1954..cb98ec62f1 100644
--- a/main/memcached/APKBUILD
+++ b/main/memcached/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=memcached
 pkgver=1.4.15
-pkgrel=1
+pkgrel=2
 pkgdesc="Distributed memory object caching system"
 url="http://memcached.org"
 arch="all"
@@ -13,6 +13,7 @@ makedepends="$depends_dev"
 install="$pkgname.pre-install"
 subpackages="$pkgname-dev $pkgname-doc"
 source="http://memcached.googlecode.com/files/$pkgname-$pkgver.tar.gz
+	CVE-2011-4971.patch
 	$pkgname.confd
 	$pkgname.initd"
 
@@ -49,11 +50,14 @@ package() {
 }
 
 md5sums="36ea966f5a29655be1746bf4949f7f69  memcached-1.4.15.tar.gz
+e73c5651b37f54020bea00a4318cef2e  CVE-2011-4971.patch
 9d7396bf77c72ca3845118424cd1898b  memcached.confd
 cc344c9aead89042ca2fbf45cd3930a6  memcached.initd"
 sha256sums="169721ab7a7531add6ae9f6b14b6b5641725fe0b1f0bdf5c3a4327725901e2b4  memcached-1.4.15.tar.gz
+0dbb2a8425e051f21a4f767055b82b6294ecf1d22082aeb24f6688bbc9870aed  CVE-2011-4971.patch
 d8648ea385035632b209acfae27b0a46ec446e58d37de43874d2a41ba13b6923  memcached.confd
 e4b6415c5501963d2ce421aab9d595736091bc895b8f3762e746593f7d736792  memcached.initd"
 sha512sums="53a9d7c109db01c6d345c79bddcbffae4b5b113244782e869d16f2b704c07bee1d8d9270c54065c06ed878e641a68c666c02ba6d4e81f83d771ae27a2b91e511  memcached-1.4.15.tar.gz
+a1f6ece8e3b07509aadbd24c3420cb4400a47c6f046282243a6e295d041ff8f84ff2de86e657cb233199259cca63360e03b173a5abff0d67789eef91847be5eb  CVE-2011-4971.patch
 059c16613648bb46ec41e1cab08033cafb7a75c71e9cf961d1e1bfa1219e17a4f528555708fc29d8eedcbd662199c32d7bc5d8ba4418bcabd8e30239bbc8e36c  memcached.confd
 65782982faaa8966ae0e1335ae367db1c65a94b5e218dfb1245e9d5e3b03ed42234c8023e6f6af13ba06bc6a5f25be5e34b4c84f4fd67805df280c94315c6a23  memcached.initd"
diff --git a/main/memcached/CVE-2011-4971.patch b/main/memcached/CVE-2011-4971.patch
new file mode 100644
index 0000000000..fc02be8686
--- /dev/null
+++ b/main/memcached/CVE-2011-4971.patch
@@ -0,0 +1,47 @@
+Issue 192: Crash when sending specially crafted packet
+Author: Christos Tsantilas <christos@chtsanti.net>
+
+This is an unsigned to signed integers conversion problem.
+Inside the following functions:
+ process_bin_sasl_auth
+ process_bin_complete_sasl_auth
+ process_bin_update
+ process_bin_append_prepend
+
+there is the following or a similar statement:
+ int vlen = c->binary_header.request.bodylen - nkey;
+
+The c->binary_header.request.bodylen is an unsigned int which if it is bigger
+than the INT_MAX and converted to a signed int will result to a negative number
+causing segfaults to memcached.
+The c->binary_header.request.bodylen is the request body length defined by
+the client request. Random bytes sent to the memcached may interpeted
+as a normal request with huge body data.
+This patch just add a check and reject requests which report huge body data.
+
+
+--- memcached-1.4.15.orig/memcached.c	2012-09-03 21:23:23.000000000 +0300
++++ memcached-1.4.15/memcached.c	2013-11-26 14:22:28.206370577 +0200
+@@ -3446,6 +3446,22 @@
+                 return -1;
+             }
+ 
++            /*
++              issue #192:
++              c->binary_header.request.bodylen is an unsigned int but it is
++              used in many places as a signed int.  
++              Add a check here to avoid bad integer type conversions which
++              may cause crashes to memcached.
++            */
++            if (c->binary_header.request.bodylen > INT_MAX) {
++                if (settings.verbose) {
++                    fprintf(stderr, "Invalid request body length:  %u\n",
++                            c->binary_header.request.bodylen);
++                }
++                conn_set_state(c, conn_closing);
++                return -1;
++            }
++
+             c->msgcurr = 0;
+             c->msgused = 0;
+             c->iovused = 0;