A vulnerability was found in memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c. Reference: https://github.com/memcached/memcached/commit/554b56687a19300a75ec24184746b5512580c819 https://github.com/memcached/memcached/wiki/ReleaseNotes1517
Created memcached tracking bugs for this issue: Affects: fedora-all [bug 1753863]
Upstream commit: https://github.com/memcached/memcached/commit/554b56687a19300a75ec24184746b5512580c819
External References: https://github.com/memcached/memcached/wiki/ReleaseNotes1517
(I made a slight grammatical tweak to the statement)
Statement: The versions of memcached shipped with Red Hat Enterprise Linux 5 to 7 are not affected by this issue as it doesn't contain the vulnerable source code.
Created memcached tracking bugs for this issue: Affects: openstack-rdo [bug 1757524]
There's an issue on memcached when UNIX sockets are used as the communication channel from clients to daemon which cause conn_to_str() to perform an out-of-bounds read while trying to retrieve the socket's filename when querying the server's connection status. Under undetermined circumstances both socket->sun_path and conn_to_str() function's internal buffer may end up overlapped on memory layout, this causes the strncpy() function to read past the end of source buffer when copying the socket's filename string to destination buffer. The issue described bellow may cause a low confidentiality impact as chunks of stack might be exposed to an attacker.