Installing memcached package creates /nonexistent

Bug #1255328 reported by Dustin Lundquist on 2013-11-26
This bug affects 1 person
Affects Status Importance Assigned to Milestone
memcached (Ubuntu)

Bug Description

memcached package creates /nonexistant which should not exist:

[dustin@lilthing ~]$ ls /
bin boot cdrom dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old
[dustin@lilthing ~]$ sudo apt-get install memcached
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  libcache-memcached-perl libmemcached
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/76.3 kB of archives.
After this operation, 228 kB of additional disk space will be used.
Selecting previously unselected package memcached.
(Reading database ... 243247 files and directories currently installed.)
Unpacking memcached (from .../memcached_1.4.14-0ubuntu4_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up memcached (1.4.14-0ubuntu4) ...
Starting memcached: memcached.
Processing triggers for ureadahead ...
[dustin@lilthing ~]$ ls /
bin boot cdrom dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt nonexistent opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old

ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: memcached 1.4.14-0ubuntu4
ProcVersionSignature: Ubuntu 3.11.0-13.20-generic 3.11.6
Uname: Linux 3.11.0-13-generic x86_64
ApportVersion: 2.12.5-0ubuntu2.1
Architecture: amd64
Date: Tue Nov 26 14:08:48 2013
EcryptfsInUse: Yes
InstallationDate: Installed on 2013-10-08 (49 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Beta amd64 (20130925.1)
MarkForUpload: True
SourcePackage: memcached
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Dustin Lundquist (dlundquist) wrote :
Dustin Lundquist (dlundquist) wrote :
description: updated

The attachment "memcached-no-create-home.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Yolanda Robla (yolanda.robla) wrote :

Tested with saucy, same memcached version, and that directory is created.

Changed in memcached (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Dustin Lundquist (dlundquist) wrote :

Checked upstream Debian package (memcached_1.4.13-0.2), it does not create a memcached user and does not exhibit this problem.

Dustin Lundquist (dlundquist) wrote :

Tested with trusty, still creates /nonexistant on install.

tags: added: trusty
summary: - Memcached package creates /nonexistent/
+ Installing memcached package creates /nonexistent
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package memcached - 1.4.14-0ubuntu9

memcached (1.4.14-0ubuntu9) trusty; urgency=low

  * SECURITY UPDATE: denial of service via large body length
    - debian/patches/CVE-2011-4971.patch: check length in memcached.c,
      added test to t/issue_192.t.
    - CVE-2011-4971
  * SECURITY UPDATE: denial of service when using -vv
    - debian/patches/CVE-2013-0179.patch: properly format key in items.c,
    - CVE-2013-0179
  * SECURITY UPDATE: SASL authentication bypass
    - debian/patches/CVE-2013-7239.patch: explicitly record sasl auth
      states in memcached.*, added test to t/binary-sasl.t.
    - CVE-2013-7239
  * debian/memcached.postinst: don't create home directory so we don't end
    up with /nonexistent. Thanks to Dustin Lundquist for patch.
    (LP: #1255328)
 -- Marc Deslauriers <email address hidden> Mon, 13 Jan 2014 15:48:48 -0500

Changed in memcached (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers