Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS response handling

Bug #1573594 reported by Stefan Friesel on 2016-04-22
282
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libmemcached (Debian)
New
Unknown
libmemcached (Ubuntu)
Status tracked in Disco
Trusty
Medium
Ioanna Alifieraki
Xenial
Medium
Ioanna Alifieraki
Bionic
Medium
Ioanna Alifieraki
Cosmic
Medium
Ioanna Alifieraki
Disco
Medium
Ioanna Alifieraki

Bug Description

[Impact]

When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].

The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialised bytes in the buffer.

As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.

[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start

[Test Case]

This bug is difficult to reproduce since it depends on the contents of the stack.
However, here is a test case using the fix on Bionic that shows that this fix does not cause any problems.

For testing you need

1) A memcached server.
   You can setup one by following the instructions in [1],
   or (what I did) create one in the cloud [2].

2) A client test program to connect to the memcached server.
   One can be found in [3].
   This simple test connects to a memcache server and test basic get/set operations.
   Copy paste the C code into a file (sals_test.c) and compile with :
   gcc -o sasl_test -O2 sasl_test.c -lmemcached -pthread

3) On a machine with the updated version of libmemcached in which the fix is applied :
   jo@bionic-vm:~$ dpkg -l | grep libmemcached
ii libhashkit-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms (development files)
ii libhashkit2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms
ii libmemcached-dbg:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 Debug Symbols for libmemcached
ii libmemcached-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server (development files)
ii libmemcached-tools 1.0.18-4.2ubuntu0.18.04.1 amd64 Commandline tools for talking to memcached via libmemcached
ii libmemcached11:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server
ii libmemcachedutil2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 library implementing connection pooling for libmemcached

   Run the sals_test binary :
   #./sasl_test [username] [password] [server]

   In my case using the credentials and the server created in step 1 :
   jo@bionic-vm:~$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
   Get/Set success!

[1] https://blog.couchbase.com/sasl-memcached-now-available/
[2] https://www.memcachier.com/
[3] https://blog.memcachier.com/2014/11/05/ubuntu-libmemcached-and-sasl-support/

[Regression Potential]

This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.

* When running autopkgtest for xenial/armhf it fails on gearmand : http://autopkgtest.ubuntu.com/packages/g/gearmand/xenial/armhf .
However this is a long standing issue with gearmand and it is not related with the current SRU.

[Other Info]

This bug affects trusty and later.

* rmadison:
 libmemcached | 1.0.8-1ubuntu2 | trusty | source
 libmemcached | 1.0.18-4.1 | xenial | source
 libmemcached | 1.0.18-4.2 | bionic | source
 libmemcached | 1.0.18-4.2 | cosmic | source
 libmemcached | 1.0.18-4.2 | disco | source

* Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919696

* Upstream seems pretty quiet since 2014

Unfortunately, because the project seems more or less dead ... it seems like we won't be able submit anything upstream and go straight to fixing Debian and Ubuntu.

- Repo:
bzr branch lp:libmemcached

- Last commit:
revno: 1113 [merge]
committer: Continuous Integration <email address hidden>
branch nick: workspace
timestamp: Sun 2014-02-16 03:31:37 -0800
message:
  Merge bzr://soup.haus/ Build: jenkins-Libmemcached-473

Stefan Friesel (stefan-friesel) wrote :

Reporting here as it might be security relevant and the upstream is dead

Thank you fr your report, sadly it was missed to be picked up so far - I'm subscribing the security Team for their thoughts on the issue.

information type: Public → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libmemcached (Ubuntu):
status: New → Confirmed
Aloÿs Augustin (aloysaugustin) wrote :

This looks like a duplicate of #1381160.

Dan Streetman (ddstreet) on 2019-01-17
Changed in libmemcached (Ubuntu):
status: Confirmed → In Progress
Changed in libmemcached (Ubuntu):
assignee: nobody → Ioanna Alifieraki (joalif)
Changed in libmemcached (Ubuntu Cosmic):
assignee: nobody → Ioanna Alifieraki (joalif)
Changed in libmemcached (Ubuntu Bionic):
assignee: nobody → Ioanna Alifieraki (joalif)
Changed in libmemcached (Ubuntu Xenial):
assignee: nobody → Ioanna Alifieraki (joalif)
Changed in libmemcached (Ubuntu Trusty):
assignee: nobody → Ioanna Alifieraki (joalif)
Changed in libmemcached (Ubuntu Cosmic):
status: New → In Progress
Changed in libmemcached (Ubuntu Bionic):
status: New → In Progress
Changed in libmemcached (Ubuntu Xenial):
status: New → In Progress
Changed in libmemcached (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Medium
Changed in libmemcached (Ubuntu Xenial):
importance: Undecided → Medium
Changed in libmemcached (Ubuntu Bionic):
importance: Undecided → Medium
Changed in libmemcached (Ubuntu Cosmic):
importance: Undecided → Medium
Changed in libmemcached (Ubuntu Disco):
importance: Undecided → Medium
description: updated
Ioanna Alifieraki (joalif) wrote :
Ioanna Alifieraki (joalif) wrote :
Ioanna Alifieraki (joalif) wrote :
tags: added: sts
tags: added: sts-sponsor

The attachment "lp1573594_disco.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Dan Streetman (ddstreet) wrote :

Hi @joalif,

couple changes needed in the debdiffs, please:

1) the patch "debian/patches/fix_missing_null_termination" has no suffix...
   not a major problem but convention is to suffix it with ".diff" or ".patch"
2) The line in your patch:
+ * Fix missing null terminated buffer. Closes: #853497.
   should be removed; the text is redundant with the line above it, and the
   patch doesn't actually fix Debian bug 853497 (as far as I can tell, at
   least). Also, Ubuntu debdiffs shouldn't include Debian-specific Closes:
   tags...which leads to:
3) Your changelog entry contains "(Closes: #1573594)", but Ubuntu uses
   "(LP: #NNNNNN)" tag formatting. Please change your changelog entry to
   include "(LP: #1573594)" instead.
4) All your debdiffs include the same package version: 1.0.18-4.2ubuntu1
   This is a tricky point of pkg versioning; since they are currently
   identical in multiple releases, it's best to use a release-specific
   version number for each of the SRU releases, and only use the "ubuntu1"
   suffix for the development (i.e. disco) release.
   Specifically to clarify:
     release current version new version
     Xenial 1.0.18-4.1 1.0.18-4.1ubuntu1
     Bionic 1.0.18-4.2 1.0.18-4.2ubuntu0.18.04.1
     Cosmic 1.0.18-4.2 1.0.18-4.2ubuntu0.18.10.1
     Disco 1.0.18-4.2 1.0.18-4.2ubuntu1

I can make the changes to the debdiffs you already uploaded if you want, or please upload new debdiffs with the recommended changes.

Thanks!

tags: added: sts-sponsor-ddstreet
removed: sts-sponsor
Ioanna Alifieraki (joalif) wrote :

New debdiff for disco.

Ioanna Alifieraki (joalif) wrote :
Ioanna Alifieraki (joalif) wrote :

New debdiff for bionic.

Ioanna Alifieraki (joalif) wrote :

New debdiff for bionic.

Ioanna Alifieraki (joalif) wrote :

New debdiff for xenial.

Ioanna Alifieraki (joalif) wrote :
Dan Streetman (ddstreet) on 2019-01-18
tags: added: sts-sponsor-slashd
removed: sts-sponsor-ddstreet
Eric Desrochers (slashd) on 2019-01-18
description: updated
Eric Desrochers (slashd) wrote :

@joalif,

I'll gladly sponsor this SRU for you ... but I'm a little bit concerned about the test case field being empty and I'm sure the SRU team (ppl who approved upload) will do as well.

While I can understand there is no clear reproducer for that bug ...
Could you please prove somehow that you did some dogfooding ?
Use libmemcached in a context as close as possible to the modified code ?
Ran a libmemcached/memcached test suite (if any) ?

Anything that can bring confidence in this patch. Especially that we have no upstream maintainer to review/accept it.

Regards,
Eric

description: updated
Changed in libmemcached (Debian):
status: Unknown → New
description: updated
Eric Desrochers (slashd) wrote :

Thanks Ionna for the [test case] improvement.
Sponsored for Disco, once the package is found in disco-release, we can go ahead with the SRU for T,X,B,C.

- Eric

Changed in libmemcached (Ubuntu Disco):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libmemcached - 1.0.18-4.2ubuntu1

---------------
libmemcached (1.0.18-4.2ubuntu1) disco; urgency=medium

  * d/p/fixing_missing_null_termination.patch:
    - Fix missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS
      response handling (LP: #1573594)

 -- Ioanna Alifieraki <email address hidden> Fri, 18 Jan 2019 13:04:25 +0000

Changed in libmemcached (Ubuntu Disco):
status: Fix Committed → Fix Released
Eric Desrochers (slashd) wrote :

Note:
---
* No longer active upstream
  - https://code.launchpad.net/libmemcached
  - Last Modified: 2014-02-16

* Patch has been submitted Debian
  - https://bugs.debian.org/919696
---

Under the circumstances of libmemcached being no longer active upstream and considering the fact that @Joalif filed a bug and submitted the patch to Debian:

Sponsored for C/B/X/T.

@Joalif, when the releases will turn "Fix Committed". The package will start building and soon be found in $release-proposed for the testing phase.

Please test and describe (with details) your tests and results against each libmemcached proposed packages. It will serves as a justification for the SRU team to approve the final copy from -proposed to -updates (final destination marking the end of the SRU) if no regression found.

Regards,
Eric

Eric Desrochers (slashd) wrote :

[Additionnal Sponsor note]

---
Xenial
---
Rejected:
File libmemcached_1.0.18-4.1ubuntu1.debian.tar.xz already exists in Primary Archive for Ubuntu, but uploaded version has different contents. See more information about this error in https://help.launchpad.net/Packaging/UploadErrors.
Files specified in DSC are broken or missing, skipping package unpack verification.
---

I had to bump the version for Xenial from "1.0.18-4ubuntu1" to "1.0.18-4ubuntu2".
"1.0.18-4ubuntu1" has already been uploaded/built back in 2015 and got superseded/deleted for some reasons that I not aware of, therefore can't be use again.

# https://launchpad.net/ubuntu/+source/libmemcached/+publishinghistory

Date Status Target Pocket Component Section Version
2015-12-12 11:54:14 EST Superseded Xenial release main libs 1.0.18-4ubuntu1
2015-12-13 13:10:09 EST Deleted Xenial proposed main libs 1.0.18-4ubuntu1

# Approved upload:
[ubuntu/xenial-proposed] libmemcached 1.0.18-4.1ubuntu2 (Waiting for approval)

Hello Stefan, or anyone else affected,

Accepted libmemcached into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libmemcached/1.0.18-4.2ubuntu0.18.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libmemcached (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Changed in libmemcached (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Łukasz Zemczak (sil2100) wrote :

Hello Stefan, or anyone else affected,

Accepted libmemcached into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libmemcached/1.0.18-4.2ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libmemcached (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello Stefan, or anyone else affected,

Accepted libmemcached into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libmemcached/1.0.18-4.1ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libmemcached (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed-trusty
Łukasz Zemczak (sil2100) wrote :

Hello Stefan, or anyone else affected,

Accepted libmemcached into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libmemcached/1.0.8-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Łukasz Zemczak (sil2100) wrote :

I accepted this to -proposed, but since this seems to be a security-related fix, I would really want the security team to take a look at the change and decide whether this should actually go through -security or both.

Seth Arnold (seth-arnold) wrote :

Thanks Łukasz, this looks appropriate for an SRU update.

Thanks

affects: libmemcached → ubuntu-translations
no longer affects: ubuntu-translations
description: updated
Ioanna Alifieraki (joalif) wrote :

Verification on Xenial :

Repeating the steps described in the [Test Case] of bug description :

Install the xenial-proposed packages

$ dpkg -l | grep libmem
ii libhashkit-dev 1.0.18-4.1ubuntu2 amd64 libmemcached hashing functions and algorithms (development files)
ii libhashkit2:amd64 1.0.18-4.1ubuntu2 amd64 libmemcached hashing functions and algorithms
ii libmemcached-dev 1.0.18-4.1ubuntu2 amd64 C and C++ client library to the memcached server (development files)
ii libmemcached-tools 1.0.18-4.1ubuntu2 amd64 Commandline tools for talking to memcached via libmemcached
ii libmemcached11:amd64 1.0.18-4.1ubuntu2 amd64 C and C++ client library to the memcached server
ii libmemcachedutil2:amd64 1.0.18-4.1ubuntu2 amd64 library implementing connection pooling for libmemcached

$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
Get/Set success!

tags: added: verification-done-xenial
removed: verification-needed-xenial
Ioanna Alifieraki (joalif) wrote :

Verification on Bionic :

Repeating the steps described in the [Test Case] of bug description :

Install the bionic-proposed packages

$ dpkg -l | grep libmemcache
ii libhashkit-dev:amd64 1.0.18-4.2 amd64 libmemcached hashing functions and algorithms (development files)
ii libhashkit2:amd64 1.0.18-4.2 amd64 libmemcached hashing functions and algorithms
ii libmemcached-dev:amd64 1.0.18-4.2 amd64 C and C++ client library to the memcached server (development files)
ii libmemcached-tools 1.0.18-4.2 amd64 Commandline tools for talking to memcached via libmemcached
ii libmemcached11:amd64 1.0.18-4.2 amd64 C and C++ client library to the memcached server
ii libmemcachedutil2:amd64 1.0.18-4.2 amd64 library implementing connection pooling for libmemcached

$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
Get/Set success!

tags: added: verification-done-bionic
removed: verification-needed-bionic
Ioanna Alifieraki (joalif) wrote :

Verification on Cosmic :

Repeating the steps described in the [Test Case] of bug description :

Install the cosmic-proposed packages

$ dpkg -l | grep libmemcached
ii libhashkit-dev:amd64 1.0.18-4.2ubuntu0.18.10.1 amd64 libmemcached hashing functions and algorithms (development files)
ii libhashkit2:amd64 1.0.18-4.2ubuntu0.18.10.1 amd64 libmemcached hashing functions and algorithms
ii libmemcached-dev:amd64 1.0.18-4.2ubuntu0.18.10.1 amd64 C and C++ client library to the memcached server (development files)
ii libmemcached-tools 1.0.18-4.2ubuntu0.18.10.1 amd64 Commandline tools for talking to memcached via libmemcached
ii libmemcached11:amd64 1.0.18-4.2ubuntu0.18.10.1 amd64 C and C++ client library to the memcached server
ii libmemcachedutil2:amd64 1.0.18-4.2ubuntu0.18.10.1 amd64 library implementing connection pooling for libmemcached

$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
Get/Set success!

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Ioanna Alifieraki (joalif) wrote :

Correction on comment #28 :

Verification on Bionic
Repeating the steps described in the [Test Case] of bug description :

Install the bionic-proposed packages

$ dpkg -l | grep libmem
ii libhashkit-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms (development files)
ii libhashkit2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 libmemcached hashing functions and algorithms
ii libmemcached-dev:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server (development files)
ii libmemcached-tools 1.0.18-4.2ubuntu0.18.04.1 amd64 Commandline tools for talking to memcached via libmemcached
ii libmemcached11:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 C and C++ client library to the memcached server
ii libmemcachedutil2:amd64 1.0.18-4.2ubuntu0.18.04.1 amd64 library implementing connection pooling for libmemcached

$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
Get/Set success!

Ioanna Alifieraki (joalif) wrote :

Verification on Trusty :

**Verification failed**
libmemcached on Trusty does not support SASL authentication

Repeating the steps described in the [Test Case] of bug description :

Install the trusty-proposed packages

$ dpkg -l | grep libmemcached
ii libhashkit-dev 1.0.8-1ubuntu2.1 amd64 libmemcached hashing functions and algorithms (development files)
ii libhashkit2:amd64 1.0.8-1ubuntu2.1 amd64 libmemcached hashing functions and algorithms
ii libmemcached-dev 1.0.8-1ubuntu2.1 amd64 C and C++ client library to the memcached server (development files)
ii libmemcached-tools 1.0.8-1ubuntu2.1 amd64 Commandline tools for talking to memcached via libmemcached
ii libmemcached10:amd64 1.0.8-1ubuntu2.1 amd64 C and C++ client library to the memcached server
ii libmemcachedprotocol0:amd64 1.0.8-1ubuntu2.1 amd64 library implementing the memcached protocol
ii libmemcachedutil2:amd64 1.0.8-1ubuntu2.1 amd64 library implementing connection pooling for libmemcached

$ ./sasl_test 88BAB0 1A99094B77C8935ED9F1461C767DB1F9 mc2.dev.eu.ec2.memcachier.com
Couldn't setup SASL auth: ACTION NOT SUPPORTED
Set failed: AUTHENTICATION FAILURE

tags: added: verification-failed-trusty
removed: verification-needed-trusty
Eric Desrochers (slashd) wrote :

Ionna,

Let's then request the SRU verification team to drop the package for trusty-proposed.
If SASL is not supported in the Trusty pkg, there is no point to complete the SRU for Trusty.

Additionally, since Trusty is near to its EOL, I don't see good reason/justification to justify the effort/work to enable SASL on the package.

Also enabling SASL, IMHO, won't be consider a "bug fix", but a "new feature".

For all the reasons above, let's simply drop the pkg from trusty-proposed.

- Eric

Łukasz Zemczak (sil2100) wrote :

Thanks for verifying! I'll drop the trusty package from -proposed and release the others into -updates.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libmemcached - 1.0.18-4.2ubuntu0.18.10.1

---------------
libmemcached (1.0.18-4.2ubuntu0.18.10.1) cosmic; urgency=medium

  * d/p/fixing_missing_null_termination.patch:
    - Fix missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS
      response handling (LP: #1573594)

 -- Ioanna Alifieraki <email address hidden> Fri, 18 Jan 2019 13:36:33 +0000

Changed in libmemcached (Ubuntu Cosmic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for libmemcached has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libmemcached - 1.0.18-4.2ubuntu0.18.04.1

---------------
libmemcached (1.0.18-4.2ubuntu0.18.04.1) bionic; urgency=medium

  * d/p/fixing_missing_null_termination.patch:
    - Fix missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS
      response handling (LP: #1573594)

 -- Ioanna Alifieraki <email address hidden> Fri, 18 Jan 2019 12:41:28 +0000

Changed in libmemcached (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libmemcached - 1.0.18-4.1ubuntu2

---------------
libmemcached (1.0.18-4.1ubuntu2) xenial; urgency=medium

  * d/p/fixing_missing_null_termination.patch:
    - Fix missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS
      response handling (LP: #1573594)

 -- Ioanna Alifieraki <email address hidden> Fri, 18 Jan 2019 12:57:57 +0000

Changed in libmemcached (Ubuntu Xenial):
status: Fix Committed → Fix Released
Eric Desrochers (slashd) on 2019-02-07
Changed in libmemcached (Ubuntu Trusty):
status: Fix Committed → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.