Bug 1753862 (CVE-2019-15026)
Summary: | CVE-2019-15026 memcached: stack-based buffer over-read in conn_to_str in memcached.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apevec, hguemar, jjoyce, jorton, jschluet, lhh, lindner, lpeer, matthias, mburns, mlichvar, sclewis, slinaber, tkorbar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | memcached 1.15.17 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-27 10:48:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1753863, 1757183, 1757237, 1757238, 1757239, 1757524 | ||
Bug Blocks: | 1753864 |
Description
Dhananjay Arunesh
2019-09-20 05:45:56 UTC
Created memcached tracking bugs for this issue: Affects: fedora-all [bug 1753863] Upstream commit: https://github.com/memcached/memcached/commit/554b56687a19300a75ec24184746b5512580c819 External References: https://github.com/memcached/memcached/wiki/ReleaseNotes1517 (I made a slight grammatical tweak to the statement) Statement: The versions of memcached shipped with Red Hat Enterprise Linux 5 to 7 are not affected by this issue as it doesn't contain the vulnerable source code. Created memcached tracking bugs for this issue: Affects: openstack-rdo [bug 1757524] There's an issue on memcached when UNIX sockets are used as the communication channel from clients to daemon which cause conn_to_str() to perform an out-of-bounds read while trying to retrieve the socket's filename when querying the server's connection status. Under undetermined circumstances both socket->sun_path and conn_to_str() function's internal buffer may end up overlapped on memory layout, this causes the strncpy() function to read past the end of source buffer when copying the socket's filename string to destination buffer. The issue described bellow may cause a low confidentiality impact as chunks of stack might be exposed to an attacker. |