Bug 1816630 (CVE-2020-10931)

Summary: CVE-2020-10931 memcached: mishandled memcpy into a stack-based buffer may lead to DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, dbecker, hguemar, jjoyce, jorton, jschluet, kbasil, lhh, lindner, lpeer, matthias, mburns, mkaplan, ntait, sclewis, slinaber, tkorbar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: memcached 1.6.2 Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in memcached 1.6.0, due to not having a mechanism to verify the length of “extlen” when calling the memcpy function if a large value is assigned to the “extlen” variable. This flaw causes a denial of service and presents a significant risk to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-02 22:31:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1816632, 1816634    
Bug Blocks: 1816633    

Description Marian Rehak 2020-03-24 12:04:56 UTC 
There is no mechanism to verify the length of "extlen" when calling memcpy function, It will cause buffer overflow if large value is assigned to the extlen variable. This may result in DoS.

Upstream Issue:

https://github.com/memcached/memcached/issues/629
Comment 1 Marian Rehak 2020-03-24 12:06:21 UTC 
Created memcached tracking bugs for this issue:

Affects: fedora-all [bug 1816632]
Affects: openstack-rdo [bug 1816634]
Comment 2 Riccardo Schirone 2020-04-01 10:50:21 UTC 
Upstream fix:
https://github.com/memcached/memcached/commit/02c6a2b62ddcb6fa4569a591d3461a156a636305
Comment 3 Riccardo Schirone 2020-04-01 15:47:34 UTC 
Vulnerability introduced in commit https://github.com/memcached/memcached/commit/8e59147cba140aa7d592b483806a2a8fadb562a2, released in upstream version 1.6.0.
Comment 5 Riccardo Schirone 2020-04-01 16:07:37 UTC 
Statement:

This issue did not affect the versions of memcached as shipped with Red Hat Enterprise Linux 6, 7, and 8 as they did not include the vulnerable code.
Comment 6 Riccardo Schirone 2020-04-01 16:22:24 UTC 
*** Bug 1817472 has been marked as a duplicate of this bug. ***
Comment 7 Riccardo Schirone 2020-04-01 16:25:31 UTC 
External References:

https://github.com/memcached/memcached/wiki/ReleaseNotes162
Comment 9 Product Security DevOps Team 2020-04-02 22:31:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10931