Bug 1753862 (CVE-2019-15026)

Summary: CVE-2019-15026 memcached: stack-based buffer over-read in conn_to_str in memcached.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, hguemar, jjoyce, jorton, jschluet, lhh, lindner, lpeer, matthias, mburns, mlichvar, sclewis, slinaber, tkorbar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: memcached 1.15.17 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:48:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1753863, 1757183, 1757237, 1757238, 1757239, 1757524    
Bug Blocks: 1753864    

Description Dhananjay Arunesh 2019-09-20 05:45:56 UTC 
A vulnerability was found in memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.

Reference:
https://github.com/memcached/memcached/commit/554b56687a19300a75ec24184746b5512580c819
https://github.com/memcached/memcached/wiki/ReleaseNotes1517
Comment 1 Dhananjay Arunesh 2019-09-20 05:46:25 UTC 
Created memcached tracking bugs for this issue:

Affects: fedora-all [bug 1753863]
Comment 3 Marco Benatto 2019-09-20 19:24:40 UTC 
Upstream commit:
https://github.com/memcached/memcached/commit/554b56687a19300a75ec24184746b5512580c819
Comment 4 Marco Benatto 2019-09-20 19:25:27 UTC 
External References:

https://github.com/memcached/memcached/wiki/ReleaseNotes1517
Comment 9 Nick Tait 2019-10-01 18:11:30 UTC 
(I made a slight grammatical tweak to the statement)
Comment 10 Nick Tait 2019-10-01 18:11:34 UTC 
Statement:

The versions of memcached shipped with Red Hat Enterprise Linux 5 to 7 are not affected by this issue as it doesn't contain the vulnerable source code.
Comment 11 Nick Tait 2019-10-01 18:12:25 UTC 
Created memcached tracking bugs for this issue:

Affects: openstack-rdo [bug 1757524]
Comment 13 Marco Benatto 2019-10-02 13:49:44 UTC 
There's an issue on memcached when UNIX sockets are used as the communication channel from clients to daemon which cause conn_to_str() to perform an out-of-bounds read while trying to retrieve the socket's filename when querying the server's connection status.

Under undetermined circumstances both socket->sun_path and conn_to_str() function's internal buffer may end up overlapped on memory layout, this causes
the strncpy() function to read past the end of source buffer when copying the socket's filename string to destination buffer.

The issue described bellow may cause a low confidentiality impact as chunks of stack might be exposed to an attacker.