Bug 516489 (CVE-2009-2415)

Summary: CVE-2009-2415 memcached: heap-based buffer overflow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lindner, matthias, ruben, tcallawa, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-07 06:06:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 542057, 542058    
Bug Blocks:    
Attachments:
Description Flags
Debian patch for 1.2.2 (from DSA-1853-1) none

Description Tomas Hoger 2009-08-10 07:53:24 UTC
Debian has released a security advisory DSA-1853 for memcached:

  Ronald Volgers discovered that memcached, a high-performance memory object
  caching system, is vulnerable to several heap-based buffer overflows due
  to integer conversions when parsing certain length attributes. An attacker
  can use this to execute arbitrary code on the system running memcached (on
  etch with root privileges).

  http://www.debian.org/security/2009/dsa-1853

Attacker needs to have access to memcached's port.  Additionally, memcached is run under dedicated non-privileged user on Fedora.

Comment 1 Tomas Hoger 2009-08-10 07:54:22 UTC
Created attachment 356858 [details]
Debian patch for 1.2.2 (from DSA-1853-1)

Patch extracted from Debian update for 1.2.2.

Upstream fix for 1.2.8 should be this:
  http://consoleninja.net/code/memcached/memcached-1.2.8_proper_vlen_fix.patch

Comment 2 Paul Lindner 2009-08-12 06:37:20 UTC
dormando will create a 1.2.9 that contains 1.2.8+this patch

I'll spin out a new 1.2.9 versions.

Comment 3 Vincent Danen 2009-11-28 04:16:14 UTC
I'm assuming that 1.4.0 has this fix since 1.2.9 was supposed to have this fix (hard to tell since the ChangeLog file is not up to date).  However, Fedora 10 and 11 still have the 1.2.8 version.  Where is the 1.2.9 version promised in comment #2?

Comment 5 Fedora Update System 2009-12-11 18:27:07 UTC
memcached-1.2.8-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.