1816630 – (CVE-2020-10931) CVE-2020-10931 memcached: mishandled memcpy into a stack-based buffer may lead to DoS

Bug 1816630 (CVE-2020-10931) - CVE-2020-10931 memcached: mishandled memcpy into a stack-based buffer may lead to DoS

Summary: CVE-2020-10931 memcached: mishandled memcpy into a stack-based buffer may lea...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-10931
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1817472 (view as bug list)
Depends On:	1816632 1816634
Blocks:	1816633
TreeView+	depends on / blocked

Reported:	2020-03-24 12:04 UTC by Marian Rehak
Modified:	2021-02-16 20:24 UTC (History)
CC List:	17 users (show)
Fixed In Version:	memcached 1.6.2
Clone Of:
Environment:
Last Closed:	2020-04-02 22:31:55 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2020-03-24 12:04:56 UTC

There is no mechanism to verify the length of "extlen" when calling memcpy function, It will cause buffer overflow if large value is assigned to the extlen variable. This may result in DoS.

Upstream Issue:

https://github.com/memcached/memcached/issues/629

Comment 1 Marian Rehak 2020-03-24 12:06:21 UTC

Created memcached tracking bugs for this issue:

Affects: fedora-all [bug 1816632]
Affects: openstack-rdo [bug 1816634]

Comment 2 Riccardo Schirone 2020-04-01 10:50:21 UTC

Upstream fix:
https://github.com/memcached/memcached/commit/02c6a2b62ddcb6fa4569a591d3461a156a636305

Comment 3 Riccardo Schirone 2020-04-01 15:47:34 UTC

Vulnerability introduced in commit https://github.com/memcached/memcached/commit/8e59147cba140aa7d592b483806a2a8fadb562a2, released in upstream version 1.6.0.

Comment 5 Riccardo Schirone 2020-04-01 16:07:37 UTC

Statement:

This issue did not affect the versions of memcached as shipped with Red Hat Enterprise Linux 6, 7, and 8 as they did not include the vulnerable code.

Comment 6 Riccardo Schirone 2020-04-01 16:22:24 UTC

*** Bug 1817472 has been marked as a duplicate of this bug. ***

Comment 7 Riccardo Schirone 2020-04-01 16:25:31 UTC

External References:

https://github.com/memcached/memcached/wiki/ReleaseNotes162

Comment 9 Product Security DevOps Team 2020-04-02 22:31:55 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10931

Note You need to log in before you can comment on or make changes to this bug.