main/memcached: security fix (CVE-2018-1000115)

Fixes #8833

2 files changed, 78 insertions, 3 deletions

diff --git a/main/memcached/APKBUILD b/main/memcached/APKBUILD
index c60c10281d..6f3a5bcfe5 100644
--- a/main/memcached/APKBUILD
+++ b/main/memcached/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=memcached
 pkgver=1.4.33
-pkgrel=1
+pkgrel=2
 pkgdesc="Distributed memory object caching system"
 url="http://memcached.org"
 arch="all"
@@ -15,13 +15,21 @@ subpackages="$pkgname-dev $pkgname-doc"
 source="http://www.memcached.org/files/memcached-$pkgver.tar.gz
 	$pkgname.confd
 	$pkgname.initd
-	CVE-2017-9951.patch"
+	CVE-2017-9951.patch
+	CVE-2018-1000115.patch
+	"
 
 _builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   1.4.33-r2:
+#     - CVE-2018-1000115
 #   1.4.33-r1:
 #     - CVE-2017-9951
+#   1.4.33-r0:
+#     - CVE-2016-8704
+#     - CVE-2016-8705
+#     - CVE-2016-8706
 
 prepare() {
 	local i
@@ -63,4 +71,5 @@ faa5d3b1026262db00340469abe4ba066b11f2558c85b6e8be1f4265444812c7  CVE-2017-9951.
 sha512sums="00af5a2f46702fb8e606b1035cdaad125445d8eb701927a3ccccd7cd6c12e0811efb3ad917e3118043fd993b5c313f1aa0c4b2a471218e971a21fed7c896e136  memcached-1.4.33.tar.gz
 31bd788433b8021ed332f86d291e7f03222ae234520e52ba673b581d5da2adf5656e8f73e8b985df73258dea9b2a1b8ef36195163fe47a92fda59825deedfed4  memcached.confd
 9615769b14175a25b50c9871b48c0635b5397ebe45231b43ee29a603eceb7b16bfc5ac744017b89b19082209c09597b3038a03ed0d5d9b45c60454d5b2717a55  memcached.initd
-6ad923b7753011272f8d8389e1e14d6193a13777a5919e3e183eb81fa5b6e9555f19ce88d0c4af3affc0ea4dd4c824924f8d4aad1460037a3c1d22707d409ed0  CVE-2017-9951.patch"
+6ad923b7753011272f8d8389e1e14d6193a13777a5919e3e183eb81fa5b6e9555f19ce88d0c4af3affc0ea4dd4c824924f8d4aad1460037a3c1d22707d409ed0  CVE-2017-9951.patch
+7e7ba164ec19f2316908e4f7bdc5d97a002338896a3ba09d3189772617763e1021f6b4496816275788bb4cf22ff560d7cead454079f279f9505fbdf14aa0e9d5  CVE-2018-1000115.patch"
diff --git a/main/memcached/CVE-2018-1000115.patch b/main/memcached/CVE-2018-1000115.patch
new file mode 100644
index 0000000000..5c3da35bbe
--- /dev/null
+++ b/main/memcached/CVE-2018-1000115.patch
@@ -0,0 +1,66 @@
+From dbb7a8af90054bf4ef51f5814ef7ceb17d83d974 Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Tue, 27 Feb 2018 10:50:45 -0800
+Subject: [PATCH] disable UDP port by default
+Origin: upstream, https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974.patch
+
+As reported, UDP amplification attacks have started to use insecure
+internet-exposed memcached instances. UDP used to be a lot more popular as a
+transport for memcached many years ago, but I'm not aware of many recent
+users.
+
+Ten years ago, the TCP connection overhead from many clients was relatively
+high (dozens or hundreds per client server), but these days many clients are
+batched, or user fewer processes, or simply anre't worried about it.
+
+While changing the default to listen on localhost only would also help, the
+true culprit is UDP. There are many more use cases for using memcached over
+the network than there are for using the UDP protocol.
+---
+ memcached.c  |    6 ++----
+ t/issue_67.t |    4 ++--
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+Index: b/memcached.c
+===================================================================
+--- a/memcached.c
++++ b/memcached.c
+@@ -205,7 +205,7 @@ static void settings_init(void) {
+     settings.use_cas = true;
+     settings.access = 0700;
+     settings.port = 11211;
+-    settings.udpport = 11211;
++    settings.udpport = 0;
+     /* By default this string should be NULL for getaddrinfo() */
+     settings.inter = NULL;
+     settings.maxbytes = 64 * 1024 * 1024; /* default is 64MB */
+@@ -6204,9 +6204,7 @@ int main (int argc, char **argv) {
+         }
+     }
+ 
+-    if (tcp_specified && !udp_specified) {
+-        settings.udpport = settings.port;
+-    } else if (udp_specified && !tcp_specified) {
++    if (udp_specified && settings.udpport != 0 && !tcp_specified) {
+         settings.port = settings.udpport;
+     }
+ 
+Index: b/t/issue_67.t
+===================================================================
+--- a/t/issue_67.t
++++ b/t/issue_67.t
+@@ -73,12 +73,12 @@ sub when {
+ 
+ # Disabling the defaults since it conflicts with a running instance.
+ # when('no arguments', '', 11211, 11211);
+-when('specifying tcp port', '-p 11212', 11212, 11212);
++when('specifying tcp port', '-p 11212', 11212, -1);
+ when('specifying udp port', '-U 11222', 11222, 11222);
+ when('specifying tcp ephemeral port', '-p -1', 0, 0);
+ when('specifying udp ephemeral port', '-U -1', 0, 0);
+ when('tcp port disabled', '-p 0', -1, -1);
+-when('udp port disabled', '-U 0', -1, -1);
++when('udp port disabled', '-U 0', 11211, -1);
+ when('specifying tcp and udp ports', '-p 11232 -U 11233', 11232, 11233);
+ when('specifying tcp and disabling udp', '-p 11242 -U 0', 11242, -1);
+ when('specifying udp and disabling tcp', '-p -1 -U 11252', 0, 11252);