Bug 1753862 (CVE-2019-15026) - CVE-2019-15026 memcached: stack-based buffer over-read in conn_to_str in memcached.c
Summary: CVE-2019-15026 memcached: stack-based buffer over-read in conn_to_str in memc...
Alias: CVE-2019-15026
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1753863 1757183 1757237 1757238 1757239 1757524
Blocks: 1753864
TreeView+ depends on / blocked
Reported: 2019-09-20 05:45 UTC by Dhananjay Arunesh
Modified: 2021-10-27 10:48 UTC (History)
14 users (show)

Fixed In Version: memcached 1.15.17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-27 10:48:47 UTC

Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-09-20 05:45:56 UTC
A vulnerability was found in memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.


Comment 1 Dhananjay Arunesh 2019-09-20 05:46:25 UTC
Created memcached tracking bugs for this issue:

Affects: fedora-all [bug 1753863]

Comment 4 Marco Benatto 2019-09-20 19:25:27 UTC
External References:


Comment 9 Nick Tait 2019-10-01 18:11:30 UTC
(I made a slight grammatical tweak to the statement)

Comment 10 Nick Tait 2019-10-01 18:11:34 UTC

The versions of memcached shipped with Red Hat Enterprise Linux 5 to 7 are not affected by this issue as it doesn't contain the vulnerable source code.

Comment 11 Nick Tait 2019-10-01 18:12:25 UTC
Created memcached tracking bugs for this issue:

Affects: openstack-rdo [bug 1757524]

Comment 13 Marco Benatto 2019-10-02 13:49:44 UTC
There's an issue on memcached when UNIX sockets are used as the communication channel from clients to daemon which cause conn_to_str() to perform an out-of-bounds read while trying to retrieve the socket's filename when querying the server's connection status.

Under undetermined circumstances both socket->sun_path and conn_to_str() function's internal buffer may end up overlapped on memory layout, this causes
the strncpy() function to read past the end of source buffer when copying the socket's filename string to destination buffer.

The issue described bellow may cause a low confidentiality impact as chunks of stack might be exposed to an attacker.

Note You need to log in before you can comment on or make changes to this bug.