2016-04-22 13:04:10 |
Stefan Friesel |
bug |
|
|
added bug |
2016-12-13 09:52:38 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Security Team |
2016-12-13 09:53:23 |
Christian Ehrhardt |
information type |
Public |
Public Security |
|
2016-12-13 20:09:33 |
Seth Arnold |
bug task added |
|
libmemcached |
|
2017-10-17 10:02:17 |
Launchpad Janitor |
libmemcached (Ubuntu): status |
New |
Confirmed |
|
2019-01-08 12:42:54 |
Dominique Poulain |
bug |
|
|
added subscriber Dominique Poulain |
2019-01-17 17:32:42 |
Dan Streetman |
libmemcached (Ubuntu): status |
Confirmed |
In Progress |
|
2019-01-17 17:33:31 |
Ioanna Alifieraki |
libmemcached (Ubuntu): assignee |
|
Ioanna Alifieraki (joalif) |
|
2019-01-17 17:37:18 |
Ioanna Alifieraki |
nominated for series |
|
Ubuntu Disco |
|
2019-01-17 17:37:18 |
Ioanna Alifieraki |
nominated for series |
|
Ubuntu Trusty |
|
2019-01-17 17:37:18 |
Ioanna Alifieraki |
nominated for series |
|
Ubuntu Xenial |
|
2019-01-17 17:37:18 |
Ioanna Alifieraki |
nominated for series |
|
Ubuntu Bionic |
|
2019-01-17 17:37:18 |
Ioanna Alifieraki |
nominated for series |
|
Ubuntu Cosmic |
|
2019-01-17 17:37:41 |
Dan Streetman |
bug task added |
|
libmemcached (Ubuntu Bionic) |
|
2019-01-17 17:37:52 |
Dan Streetman |
bug task added |
|
libmemcached (Ubuntu Cosmic) |
|
2019-01-17 17:38:02 |
Dan Streetman |
bug task added |
|
libmemcached (Ubuntu Disco) |
|
2019-01-17 17:38:14 |
Dan Streetman |
bug task added |
|
libmemcached (Ubuntu Trusty) |
|
2019-01-17 17:38:26 |
Dan Streetman |
bug task added |
|
libmemcached (Ubuntu Xenial) |
|
2019-01-17 17:38:36 |
Ioanna Alifieraki |
libmemcached (Ubuntu Cosmic): assignee |
|
Ioanna Alifieraki (joalif) |
|
2019-01-17 17:38:39 |
Ioanna Alifieraki |
libmemcached (Ubuntu Bionic): assignee |
|
Ioanna Alifieraki (joalif) |
|
2019-01-17 17:38:58 |
Ioanna Alifieraki |
libmemcached (Ubuntu Xenial): assignee |
|
Ioanna Alifieraki (joalif) |
|
2019-01-17 17:39:01 |
Ioanna Alifieraki |
libmemcached (Ubuntu Trusty): assignee |
|
Ioanna Alifieraki (joalif) |
|
2019-01-17 17:47:31 |
Ioanna Alifieraki |
libmemcached (Ubuntu Cosmic): status |
New |
In Progress |
|
2019-01-17 17:47:38 |
Ioanna Alifieraki |
libmemcached (Ubuntu Bionic): status |
New |
In Progress |
|
2019-01-17 17:47:46 |
Ioanna Alifieraki |
libmemcached (Ubuntu Xenial): status |
New |
In Progress |
|
2019-01-17 17:47:52 |
Ioanna Alifieraki |
libmemcached (Ubuntu Trusty): status |
New |
In Progress |
|
2019-01-17 17:47:59 |
Ioanna Alifieraki |
libmemcached (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2019-01-17 17:48:04 |
Ioanna Alifieraki |
libmemcached (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2019-01-17 17:48:07 |
Ioanna Alifieraki |
libmemcached (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2019-01-17 17:48:10 |
Ioanna Alifieraki |
libmemcached (Ubuntu Cosmic): importance |
Undecided |
Medium |
|
2019-01-17 17:48:14 |
Ioanna Alifieraki |
libmemcached (Ubuntu Disco): importance |
Undecided |
Medium |
|
2019-01-17 18:04:40 |
Ioanna Alifieraki |
description |
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialized bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start |
[Impact]
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
There is no known reliable reproducer.
[Regression Potential]
This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.
[Other Info]
This bug affects trusty and later. |
|
2019-01-17 18:10:27 |
Ioanna Alifieraki |
attachment added |
|
lp1573594_disco.debdiff https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594/+attachment/5230019/+files/lp1573594_disco.debdiff |
|
2019-01-17 18:11:30 |
Ioanna Alifieraki |
attachment added |
|
Fix for bionic https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594/+attachment/5230020/+files/lp1573594_bionic.debdiff |
|
2019-01-17 18:12:33 |
Ioanna Alifieraki |
attachment added |
|
lp1573594_xenial.debdiff https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594/+attachment/5230021/+files/lp1573594_xenial.debdiff |
|
2019-01-17 18:13:40 |
Ioanna Alifieraki |
tags |
|
sts |
|
2019-01-17 18:14:19 |
Ioanna Alifieraki |
tags |
sts |
sts sts-sponsor |
|
2019-01-17 18:14:56 |
Ioanna Alifieraki |
bug |
|
|
added subscriber STS Sponsors |
2019-01-17 19:26:10 |
Ubuntu Foundations Team Bug Bot |
tags |
sts sts-sponsor |
patch sts sts-sponsor |
|
2019-01-17 19:26:37 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2019-01-17 20:26:00 |
Dan Streetman |
tags |
patch sts sts-sponsor |
patch sts sts-sponsor-ddstreet |
|
2019-01-18 16:57:17 |
Ioanna Alifieraki |
attachment added |
|
lp1573594_disco.debdiff https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594/+attachment/5230340/+files/lp1573594_disco.debdiff |
|
2019-01-18 16:58:42 |
Ioanna Alifieraki |
attachment added |
|
lp1573594_cosmic.debdiff https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594/+attachment/5230341/+files/lp1573594_cosmic.debdiff |
|
2019-01-18 17:00:00 |
Ioanna Alifieraki |
attachment added |
|
lp1573594_bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594/+attachment/5230342/+files/lp1573594_bionic.debdiff |
|
2019-01-18 17:00:05 |
Ioanna Alifieraki |
attachment added |
|
lp1573594_bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594/+attachment/5230343/+files/lp1573594_bionic.debdiff |
|
2019-01-18 17:01:44 |
Ioanna Alifieraki |
attachment added |
|
lp1573594_xenial.debdiff https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594/+attachment/5230344/+files/lp1573594_xenial.debdiff |
|
2019-01-18 17:03:05 |
Ioanna Alifieraki |
attachment added |
|
lp1573594_trusty.debdiff https://bugs.launchpad.net/ubuntu/+source/libmemcached/+bug/1573594/+attachment/5230346/+files/lp1573594_trusty.debdiff |
|
2019-01-18 19:09:21 |
Dan Streetman |
tags |
patch sts sts-sponsor-ddstreet |
patch sts sts-sponsor-slashd |
|
2019-01-18 19:09:34 |
Dan Streetman |
bug |
|
|
added subscriber Dan Streetman |
2019-01-18 19:20:07 |
Eric Desrochers |
description |
[Impact]
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
There is no known reliable reproducer.
[Regression Potential]
This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.
[Other Info]
This bug affects trusty and later. |
[Impact]
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
There is no known reliable reproducer.
[Regression Potential]
This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.
[Other Info]
This bug affects trusty and later.
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696
* Upstream seems pretty quiet since 2014
Repo: bzr branch lp:libmemcached
Last commit:
revno: 1113 [merge]
committer: Continuous Integration <ci@tangent.org>
branch nick: workspace
timestamp: Sun 2014-02-16 03:31:37 -0800
message:
Merge bzr://soup.haus/ Build: jenkins-Libmemcached-473
Unfortunately, because the project seems more or less dead ... it seems like we won't be able submit anything upstream and go straight by fixing Debian and Ubuntu. |
|
2019-01-18 19:25:40 |
Eric Desrochers |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696 |
|
2019-01-18 19:25:40 |
Eric Desrochers |
bug task added |
|
libmemcached (Debian) |
|
2019-01-18 19:37:48 |
Eric Desrochers |
description |
[Impact]
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
There is no known reliable reproducer.
[Regression Potential]
This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.
[Other Info]
This bug affects trusty and later.
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696
* Upstream seems pretty quiet since 2014
Repo: bzr branch lp:libmemcached
Last commit:
revno: 1113 [merge]
committer: Continuous Integration <ci@tangent.org>
branch nick: workspace
timestamp: Sun 2014-02-16 03:31:37 -0800
message:
Merge bzr://soup.haus/ Build: jenkins-Libmemcached-473
Unfortunately, because the project seems more or less dead ... it seems like we won't be able submit anything upstream and go straight by fixing Debian and Ubuntu. |
[Impact]
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
There is no known reliable reproducer.
[Regression Potential]
This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.
[Other Info]
This bug affects trusty and later.
* rmadison:
libmemcached | 1.0.8-1ubuntu2 | trusty | source
libmemcached | 1.0.18-4.1 | xenial | source
libmemcached | 1.0.18-4.2 | bionic | source
libmemcached | 1.0.18-4.2 | cosmic | source
libmemcached | 1.0.18-4.2 | disco | source
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696
* Upstream seems pretty quiet since 2014
Unfortunately, because the project seems more or less dead ... it seems like we won't be able submit anything upstream and go straight to fixing Debian and Ubuntu.
- Repo:
bzr branch lp:libmemcached
- Last commit:
revno: 1113 [merge]
committer: Continuous Integration <ci@tangent.org>
branch nick: workspace
timestamp: Sun 2014-02-16 03:31:37 -0800
message:
Merge bzr://soup.haus/ Build: jenkins-Libmemcached-473 |
|
2019-01-18 23:28:28 |
Bug Watch Updater |
libmemcached (Debian): status |
Unknown |
New |
|
2019-01-23 18:54:08 |
Ioanna Alifieraki |
description |
[Impact]
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
There is no known reliable reproducer.
[Regression Potential]
This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.
[Other Info]
This bug affects trusty and later.
* rmadison:
libmemcached | 1.0.8-1ubuntu2 | trusty | source
libmemcached | 1.0.18-4.1 | xenial | source
libmemcached | 1.0.18-4.2 | bionic | source
libmemcached | 1.0.18-4.2 | cosmic | source
libmemcached | 1.0.18-4.2 | disco | source
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696
* Upstream seems pretty quiet since 2014
Unfortunately, because the project seems more or less dead ... it seems like we won't be able submit anything upstream and go straight to fixing Debian and Ubuntu.
- Repo:
bzr branch lp:libmemcached
- Last commit:
revno: 1113 [merge]
committer: Continuous Integration <ci@tangent.org>
branch nick: workspace
timestamp: Sun 2014-02-16 03:31:37 -0800
message:
Merge bzr://soup.haus/ Build: jenkins-Libmemcached-473 |
[Impact]
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
This bug is difficult to reproduce since it depends on the contents of the stack.
However, here is a test case using the fix on Bionic that shows that this fix does not cause any problems.
For testing you need
1) A memcached server.
You can setup one by following the instructions in [1],
or (what I did) create one in the cloud [2].
2) A client test program to connect to the memcached server.
One can be found in [3].
This simple test connects to a memcache server and test basic get/set operations.
Copy paste the C code into a file (sals_test.c) and compile with :
gcc -o sasl_test -O2 sasl_test.c -lmemcached -pthread
3) On a machine with the updated version of libmemcached in which the fix is applied :
jo@bionic-vm:~$ dpkg -l | grep libmemcached
ii libhashkit-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms (development files)
ii libhashkit2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms
ii libmemcached-dbg:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 Debug Symbols for libmemcached
ii libmemcached-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server (development files)
ii libmemcached-tools 1.0.18-4.2ubuntu0.18.04.1 amd64 Commandline tools for talking to memcached via libmemcached
ii libmemcached11:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server
ii libmemcachedutil2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 library implementing connection pooling for libmemcached
Run the sals_test binary :
#./sasl_test [username] [password] [server]
In my case using the credentials and the server created in step 1 :
jo@bionic-vm:~$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
Get/Set success!
[1] https://blog.couchbase.com/sasl-memcached-now-available/
[2] https://www.memcachier.com/
[3] https://blog.memcachier.com/2014/11/05/ubuntu-libmemcached-and-sasl-support/
[Regression Potential]
This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.
[Other Info]
This bug affects trusty and later.
* rmadison:
libmemcached | 1.0.8-1ubuntu2 | trusty | source
libmemcached | 1.0.18-4.1 | xenial | source
libmemcached | 1.0.18-4.2 | bionic | source
libmemcached | 1.0.18-4.2 | cosmic | source
libmemcached | 1.0.18-4.2 | disco | source
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696
* Upstream seems pretty quiet since 2014
Unfortunately, because the project seems more or less dead ... it seems like we won't be able submit anything upstream and go straight to fixing Debian and Ubuntu.
- Repo:
bzr branch lp:libmemcached
- Last commit:
revno: 1113 [merge]
committer: Continuous Integration <ci@tangent.org>
branch nick: workspace
timestamp: Sun 2014-02-16 03:31:37 -0800
message:
Merge bzr://soup.haus/ Build: jenkins-Libmemcached-473 |
|
2019-01-23 19:40:33 |
Eric Desrochers |
libmemcached (Ubuntu Disco): status |
In Progress |
Fix Committed |
|
2019-01-24 02:00:55 |
Launchpad Janitor |
libmemcached (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
2019-01-31 16:30:24 |
Łukasz Zemczak |
libmemcached (Ubuntu Cosmic): status |
In Progress |
Fix Committed |
|
2019-01-31 16:30:27 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-01-31 16:30:31 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2019-01-31 16:30:36 |
Łukasz Zemczak |
tags |
patch sts sts-sponsor-slashd |
patch sts sts-sponsor-slashd verification-needed verification-needed-cosmic |
|
2019-01-31 16:32:58 |
Łukasz Zemczak |
libmemcached (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2019-01-31 16:33:05 |
Łukasz Zemczak |
tags |
patch sts sts-sponsor-slashd verification-needed verification-needed-cosmic |
patch sts sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-cosmic |
|
2019-01-31 16:36:11 |
Łukasz Zemczak |
libmemcached (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2019-01-31 16:36:16 |
Łukasz Zemczak |
tags |
patch sts sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-cosmic |
patch sts sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-xenial |
|
2019-01-31 16:37:37 |
Łukasz Zemczak |
libmemcached (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2019-01-31 16:37:44 |
Łukasz Zemczak |
tags |
patch sts sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-xenial |
patch sts sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-trusty verification-needed-xenial |
|
2019-02-02 20:08:24 |
Mathew Hodson |
affects |
libmemcached |
ubuntu-translations |
|
2019-02-02 20:08:40 |
Mathew Hodson |
bug task deleted |
ubuntu-translations |
|
|
2019-02-04 15:52:07 |
Ioanna Alifieraki |
description |
[Impact]
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
This bug is difficult to reproduce since it depends on the contents of the stack.
However, here is a test case using the fix on Bionic that shows that this fix does not cause any problems.
For testing you need
1) A memcached server.
You can setup one by following the instructions in [1],
or (what I did) create one in the cloud [2].
2) A client test program to connect to the memcached server.
One can be found in [3].
This simple test connects to a memcache server and test basic get/set operations.
Copy paste the C code into a file (sals_test.c) and compile with :
gcc -o sasl_test -O2 sasl_test.c -lmemcached -pthread
3) On a machine with the updated version of libmemcached in which the fix is applied :
jo@bionic-vm:~$ dpkg -l | grep libmemcached
ii libhashkit-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms (development files)
ii libhashkit2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms
ii libmemcached-dbg:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 Debug Symbols for libmemcached
ii libmemcached-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server (development files)
ii libmemcached-tools 1.0.18-4.2ubuntu0.18.04.1 amd64 Commandline tools for talking to memcached via libmemcached
ii libmemcached11:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server
ii libmemcachedutil2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 library implementing connection pooling for libmemcached
Run the sals_test binary :
#./sasl_test [username] [password] [server]
In my case using the credentials and the server created in step 1 :
jo@bionic-vm:~$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
Get/Set success!
[1] https://blog.couchbase.com/sasl-memcached-now-available/
[2] https://www.memcachier.com/
[3] https://blog.memcachier.com/2014/11/05/ubuntu-libmemcached-and-sasl-support/
[Regression Potential]
This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.
[Other Info]
This bug affects trusty and later.
* rmadison:
libmemcached | 1.0.8-1ubuntu2 | trusty | source
libmemcached | 1.0.18-4.1 | xenial | source
libmemcached | 1.0.18-4.2 | bionic | source
libmemcached | 1.0.18-4.2 | cosmic | source
libmemcached | 1.0.18-4.2 | disco | source
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696
* Upstream seems pretty quiet since 2014
Unfortunately, because the project seems more or less dead ... it seems like we won't be able submit anything upstream and go straight to fixing Debian and Ubuntu.
- Repo:
bzr branch lp:libmemcached
- Last commit:
revno: 1113 [merge]
committer: Continuous Integration <ci@tangent.org>
branch nick: workspace
timestamp: Sun 2014-02-16 03:31:37 -0800
message:
Merge bzr://soup.haus/ Build: jenkins-Libmemcached-473 |
[Impact]
When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start
[Test Case]
This bug is difficult to reproduce since it depends on the contents of the stack.
However, here is a test case using the fix on Bionic that shows that this fix does not cause any problems.
For testing you need
1) A memcached server.
You can setup one by following the instructions in [1],
or (what I did) create one in the cloud [2].
2) A client test program to connect to the memcached server.
One can be found in [3].
This simple test connects to a memcache server and test basic get/set operations.
Copy paste the C code into a file (sals_test.c) and compile with :
gcc -o sasl_test -O2 sasl_test.c -lmemcached -pthread
3) On a machine with the updated version of libmemcached in which the fix is applied :
jo@bionic-vm:~$ dpkg -l | grep libmemcached
ii libhashkit-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms (development files)
ii libhashkit2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms
ii libmemcached-dbg:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 Debug Symbols for libmemcached
ii libmemcached-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server (development files)
ii libmemcached-tools 1.0.18-4.2ubuntu0.18.04.1 amd64 Commandline tools for talking to memcached via libmemcached
ii libmemcached11:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server
ii libmemcachedutil2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 library implementing connection pooling for libmemcached
Run the sals_test binary :
#./sasl_test [username] [password] [server]
In my case using the credentials and the server created in step 1 :
jo@bionic-vm:~$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
Get/Set success!
[1] https://blog.couchbase.com/sasl-memcached-now-available/
[2] https://www.memcachier.com/
[3] https://blog.memcachier.com/2014/11/05/ubuntu-libmemcached-and-sasl-support/
[Regression Potential]
This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.
* When running autopkgtest for xenial/armhf it fails on gearmand : http://autopkgtest.ubuntu.com/packages/g/gearmand/xenial/armhf .
However this is a long standing issue with gearmand and it is not related with the current SRU.
[Other Info]
This bug affects trusty and later.
* rmadison:
libmemcached | 1.0.8-1ubuntu2 | trusty | source
libmemcached | 1.0.18-4.1 | xenial | source
libmemcached | 1.0.18-4.2 | bionic | source
libmemcached | 1.0.18-4.2 | cosmic | source
libmemcached | 1.0.18-4.2 | disco | source
* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696
* Upstream seems pretty quiet since 2014
Unfortunately, because the project seems more or less dead ... it seems like we won't be able submit anything upstream and go straight to fixing Debian and Ubuntu.
- Repo:
bzr branch lp:libmemcached
- Last commit:
revno: 1113 [merge]
committer: Continuous Integration <ci@tangent.org>
branch nick: workspace
timestamp: Sun 2014-02-16 03:31:37 -0800
message:
Merge bzr://soup.haus/ Build: jenkins-Libmemcached-473 |
|
2019-02-04 16:14:45 |
Ioanna Alifieraki |
tags |
patch sts sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-trusty verification-needed-xenial |
patch sts sts-sponsor-slashd verification-done-xenial verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-trusty |
|
2019-02-04 16:21:17 |
Ioanna Alifieraki |
tags |
patch sts sts-sponsor-slashd verification-done-xenial verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-trusty |
patch sts sts-sponsor-slashd verification-done-bionic verification-done-xenial verification-needed verification-needed-cosmic verification-needed-trusty |
|
2019-02-04 16:32:33 |
Ioanna Alifieraki |
tags |
patch sts sts-sponsor-slashd verification-done-bionic verification-done-xenial verification-needed verification-needed-cosmic verification-needed-trusty |
patch sts sts-sponsor-slashd verification-done-bionic verification-done-cosmic verification-done-xenial verification-needed verification-needed-trusty |
|
2019-02-04 17:56:20 |
Ioanna Alifieraki |
tags |
patch sts sts-sponsor-slashd verification-done-bionic verification-done-cosmic verification-done-xenial verification-needed verification-needed-trusty |
patch sts sts-sponsor-slashd verification-done-bionic verification-done-cosmic verification-done-xenial verification-failed-trusty verification-needed |
|
2019-02-07 11:59:39 |
Launchpad Janitor |
libmemcached (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2019-02-07 11:59:45 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-02-07 12:00:01 |
Launchpad Janitor |
libmemcached (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-02-07 12:00:34 |
Launchpad Janitor |
libmemcached (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2019-02-07 13:42:26 |
Eric Desrochers |
libmemcached (Ubuntu Trusty): status |
Fix Committed |
Invalid |
|
2019-02-07 13:42:52 |
Eric Desrochers |
removed subscriber STS Sponsors |
|
|
|
2019-03-08 05:37:08 |
Mathew Hodson |
libmemcached (Ubuntu Trusty): status |
Invalid |
Won't Fix |
|
2019-03-18 11:28:26 |
Marc Deslauriers |
removed subscriber Ubuntu Security Sponsors Team |
|
|
|
2019-03-18 11:28:29 |
Marc Deslauriers |
removed subscriber Ubuntu Security Team |
|
|
|
2019-04-07 13:21:54 |
Dan Streetman |
removed subscriber Dan Streetman |
|
|
|
2019-04-07 13:22:14 |
Dan Streetman |
tags |
patch sts sts-sponsor-slashd verification-done-bionic verification-done-cosmic verification-done-xenial verification-failed-trusty verification-needed |
patch sts sts-sponsor-slashd verification-done verification-done-bionic verification-done-cosmic verification-done-xenial verification-failed-trusty |
|
2019-05-31 22:37:52 |
Dan Streetman |
tags |
patch sts sts-sponsor-slashd verification-done verification-done-bionic verification-done-cosmic verification-done-xenial verification-failed-trusty |
patch sts verification-done verification-done-bionic verification-done-cosmic verification-done-xenial verification-failed-trusty |
|
2021-05-06 15:23:48 |
Brian Aker |
branch linked |
|
lp:~brianaker/libmemcached/libmemcached-gearman-remove |
|
2022-12-14 13:49:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/libmemcached/+git/libmemcached/+merge/434633 |
|
2023-02-22 18:29:08 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/libmemcached/+git/libmemcached/+merge/437704 |
|
2023-02-22 21:03:03 |
Sergio Durigan Junior |
merge proposal unlinked |
https://code.launchpad.net/~ahasenack/ubuntu/+source/libmemcached/+git/libmemcached/+merge/437704 |
|
|