[Bug 1007866] New: Memcached: 1.4.32 and earlier buffer overflow
http://bugzilla.opensuse.org/show_bug.cgi?id=1007866 Bug ID: 1007866 Summary: Memcached: 1.4.32 and earlier buffer overflow Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Reference: [1] http://seclists.org/oss-sec/2016/q4/290 [1]: =================================================== Release notes with tarball here: https://github.com/memcached/memcached/wiki/ReleaseNotes1433 Copy/paste from the relase notes: Serious remote code execution bugs are fixed in this release. The bugs are related to the binary protocol as well as SASL authentication of the binary protocol. If you do not use the binary protocol at all, a workaround is to start memcached with -B ascii - otherwise you will need the patch in this release. The diff may apply cleanly to older versions as the affected code has not changed in a long time. Full details of the issues may be found here: http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html In summary: two binary protocol parsing errors, and a SASL authentication parsing error allows buffer overflows of keys into arbitrary memory space. With enough work undesireable effects are possible. CVE's were requested and assigned by the reporter. I unfortunately don't have them handy :( -Dormando =================================================== [2] https://software.opensuse.org/package/memcached [2]: =================================================== TW: 1.4.25 42.1: 1.4.22 13.2: 1.4.20 network:utilities repo: 1.4.25 server:php:extensions repo: 1.4.25 filesystems:openATTIC repo: 1.4.25 =================================================== -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1007866 http://bugzilla.opensuse.org/show_bug.cgi?id=1007866#c1 --- Comment #1 from Mikhail Kasimov <mikhail.kasimov@gmail.com> --- Reference: http://seclists.org/oss-sec/2016/q4/292 =================================================================== As per Talos page, there seems to be three issues. CVE-2016-8704 - Memcached server append/prepend remote code execution vulnerability An integer overflow in the process_bin_append_prepend function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution. http://www.talosintelligence.com/reports/TALOS-2016-0219/ CVE-2016-8705 - Memcached server update remote code execution vulnerability Multiple integer overflows in process_bin_update function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution. http://www.talosintelligence.com/reports/TALOS-2016-0220/ CVE-2016-8706 - Memcached server SASL authentication remote code execution vulnerability An integer overflow in process_bin_sasl_auth function which is responsible for authentication commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution. http://www.talosintelligence.com/reports/TALOS-2016-0221/ There is also a talos blog post about these issues: http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html Thanks for sharing! =================================================================== -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1007866 http://bugzilla.opensuse.org/show_bug.cgi?id=1007866#c2 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |astieger@suse.com Resolution|--- |DUPLICATE --- Comment #2 from Andreas Stieger <astieger@suse.com> --- See bug CVE-2016-8704, bug CVE-2016-8705, bug CVE-2016-8706 *** This bug has been marked as a duplicate of bug 1007871 *** -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com