diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-12-03 12:28:12 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-12-03 12:28:49 +0000 |
commit | deded5f6427a47a48eac3311151c147dab49cdd6 (patch) | |
tree | c6e916624bd9f60abd4ab0317d88209473b68681 | |
parent | 8d663144da2b4cac4c6312be9111b938df121d75 (diff) | |
download | aports-deded5f6427a47a48eac3311151c147dab49cdd6.tar.bz2 aports-deded5f6427a47a48eac3311151c147dab49cdd6.tar.xz |
main/memcached: security workaround for CVE-2011-4971
ref #2451
-rw-r--r-- | main/memcached/APKBUILD | 6 | ||||
-rw-r--r-- | main/memcached/CVE-2011-4971.patch | 47 |
2 files changed, 52 insertions, 1 deletions
diff --git a/main/memcached/APKBUILD b/main/memcached/APKBUILD index 2ed54a1954..cb98ec62f1 100644 --- a/main/memcached/APKBUILD +++ b/main/memcached/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=memcached pkgver=1.4.15 -pkgrel=1 +pkgrel=2 pkgdesc="Distributed memory object caching system" url="http://memcached.org" arch="all" @@ -13,6 +13,7 @@ makedepends="$depends_dev" install="$pkgname.pre-install" subpackages="$pkgname-dev $pkgname-doc" source="http://memcached.googlecode.com/files/$pkgname-$pkgver.tar.gz + CVE-2011-4971.patch $pkgname.confd $pkgname.initd" @@ -49,11 +50,14 @@ package() { } md5sums="36ea966f5a29655be1746bf4949f7f69 memcached-1.4.15.tar.gz +e73c5651b37f54020bea00a4318cef2e CVE-2011-4971.patch 9d7396bf77c72ca3845118424cd1898b memcached.confd cc344c9aead89042ca2fbf45cd3930a6 memcached.initd" sha256sums="169721ab7a7531add6ae9f6b14b6b5641725fe0b1f0bdf5c3a4327725901e2b4 memcached-1.4.15.tar.gz +0dbb2a8425e051f21a4f767055b82b6294ecf1d22082aeb24f6688bbc9870aed CVE-2011-4971.patch d8648ea385035632b209acfae27b0a46ec446e58d37de43874d2a41ba13b6923 memcached.confd e4b6415c5501963d2ce421aab9d595736091bc895b8f3762e746593f7d736792 memcached.initd" sha512sums="53a9d7c109db01c6d345c79bddcbffae4b5b113244782e869d16f2b704c07bee1d8d9270c54065c06ed878e641a68c666c02ba6d4e81f83d771ae27a2b91e511 memcached-1.4.15.tar.gz +a1f6ece8e3b07509aadbd24c3420cb4400a47c6f046282243a6e295d041ff8f84ff2de86e657cb233199259cca63360e03b173a5abff0d67789eef91847be5eb CVE-2011-4971.patch 059c16613648bb46ec41e1cab08033cafb7a75c71e9cf961d1e1bfa1219e17a4f528555708fc29d8eedcbd662199c32d7bc5d8ba4418bcabd8e30239bbc8e36c memcached.confd 65782982faaa8966ae0e1335ae367db1c65a94b5e218dfb1245e9d5e3b03ed42234c8023e6f6af13ba06bc6a5f25be5e34b4c84f4fd67805df280c94315c6a23 memcached.initd" diff --git a/main/memcached/CVE-2011-4971.patch b/main/memcached/CVE-2011-4971.patch new file mode 100644 index 0000000000..fc02be8686 --- /dev/null +++ b/main/memcached/CVE-2011-4971.patch @@ -0,0 +1,47 @@ +Issue 192: Crash when sending specially crafted packet +Author: Christos Tsantilas <christos@chtsanti.net> + +This is an unsigned to signed integers conversion problem. +Inside the following functions: + process_bin_sasl_auth + process_bin_complete_sasl_auth + process_bin_update + process_bin_append_prepend + +there is the following or a similar statement: + int vlen = c->binary_header.request.bodylen - nkey; + +The c->binary_header.request.bodylen is an unsigned int which if it is bigger +than the INT_MAX and converted to a signed int will result to a negative number +causing segfaults to memcached. +The c->binary_header.request.bodylen is the request body length defined by +the client request. Random bytes sent to the memcached may interpeted +as a normal request with huge body data. +This patch just add a check and reject requests which report huge body data. + + +--- memcached-1.4.15.orig/memcached.c 2012-09-03 21:23:23.000000000 +0300 ++++ memcached-1.4.15/memcached.c 2013-11-26 14:22:28.206370577 +0200 +@@ -3446,6 +3446,22 @@ + return -1; + } + ++ /* ++ issue #192: ++ c->binary_header.request.bodylen is an unsigned int but it is ++ used in many places as a signed int. ++ Add a check here to avoid bad integer type conversions which ++ may cause crashes to memcached. ++ */ ++ if (c->binary_header.request.bodylen > INT_MAX) { ++ if (settings.verbose) { ++ fprintf(stderr, "Invalid request body length: %u\n", ++ c->binary_header.request.bodylen); ++ } ++ conn_set_state(c, conn_closing); ++ return -1; ++ } ++ + c->msgcurr = 0; + c->msgused = 0; + c->iovused = 0; |