Bug 22068

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => luis.daniel.lucio, mageia, marja11, oe, olav, shlomif, tmb
Assignee: bugsquad => pkg-bugs

Hi.

Updated memcached version 1.4.39 for MGA5 and MGA6 pushed to updates_testing.

New version for Cauldron, 1.5.3, pushed to core/release.

Cheers,
Stig

CC: (none) => smelror

Advisory:
========================

Updated memcached packages fix security vulnerability:

The try_read_command function in memcached.c in memcached before 1.4.39 allows
remote attackers to cause a denial of service (segmentation fault) via a request
to add/set a key, which makes a comparison between signed and unsigned int and
triggers a heap-based buffer over-read (CVE-2017-9951).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9951
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EGQ5CRXRSHTKFUB5MCASDOTTZT7YR6IR/
========================

Updated packages in core/updates_testing:
========================
memcached-1.4.39-1.mga5
memcached-devel-1.4.39-1.mga5
memcached-1.4.39-1.mga6
memcached-devel-1.4.39-1.mga6

from SRPMS:
memcached-1.4.39-1.mga5.src.rpm
memcached-1.4.39-1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs

MGA5-32 on Dell Latitude D600
No installation issues.
Tried to follow test as per bug 12156, after installing php, but get
$ php memcac.php 
PHP Fatal error:  Class 'Memcached' not found in /home/tester5/Documenten/memcac.php on line 4
Apparently something still missing in this new setup, but that will have to wait until tomorrow.

CC: (none) => herman.viaene

Found out that I needed to install the package php-memcached.
Once this in place, the test as mentioned above runs OK:
$ php memcac.php 
my test data : SUCCESS

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Trying M6/64

Installing from issued repos 'memcached-1.4.25-2.mga6.x86_64'.

UPDATEd to: memcached-1.4.39-1.mga6'
Using the quick test given in
 https://bugs.mageia.org/show_bug.cgi?id=12156#c8
which (comment 5) needs also 'php-memcached'.
Problem: wrong output
 $ php memcachedtest.php 
                         [blank line, the final \n I suppose]
 $

 For reference:
$ cat memcachedtest.php 
#!/bin/php
<?php

$m = new Memcached();
$m->addServer('127.0.0.1', 11211);
$m->set('test', 'my test data : SUCCESS');
echo $m->get('test') . "\n";
?>
 I added the final '?>' line, but with or without it, the result was the same.
Tried adding also memcached-devel-1.4.39-1.mga6.x86_64, which made no difference. Am I doing something silly?

CCing Samuel [test author] in case he can advise.

CC: (none) => lewyssmith, stormi

Continuing M6/64
Downgraded memcached to PREupdate version 1.4.25-2, and got the same test non-result as above; so it is at least not due to the update.

@ Lewis: Copy of my test #!/bin/php
<?php

$m = new Memcached();
$m->addServer('127.0.0.1', 11211);
$m->set('test', 'my test data : SUCCESS');
echo $m->get('test') . "\n";file that did OK:

Did you check the package php-memcached?

(In reply to Herman Viaene from comment #8)
> Did you check the package php-memcached?
Yes: php-memcached-2.2.0-2.mga6

I copied the script you gave above (which looked exactly the same as what I had); still no joy (here after the update):
memcached-1.4.39-1.mga6
 $ ./memcachedtest.php 

 $
Will ask around.

Installed and tested without issues.

System: Mageia 5, x86_64, Intel CPU.

$ php memcachetest.php
my test data : SUCCESS
$
$ cat memcachetest.php 
<?php
$m = new Memcached();
$m->addServer('127.0.0.1', 11211);
$m->set('test', 'my test data : SUCCESS');
echo $m->get('test') . "\n";
$
$ uname -a
Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$
$ rpm -qa | grep memcached | sort
lib64memcached11-1.0.17-6.mga5
memcached-1.4.39-1.mga5
php-memcached-2.2.0-0.0.RC1.4.mga5

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK
CC: (none) => mageia

(In reply to Lewis Smith from comment #9)
>  $ ./memcachedtest.php 
> 
>  $
This was not correct. It should have been (and was previously in c.6, and now):
 $ php memcachedtest.php 

 $
@PC_LX: Thank you for confirming Mageia 5 x64.

In my comment I forgot to mention that the memcached must be installed and running. If memcached is not running then the test script memcachedtest.php will output nothing.

I used the following commands to install, enable, start and check the status of the memcached service.
# urpmi memcached
# systemctl enable memcached@11211
# systemctl start memcached@11211
# systemctl status memcached@11211

Brilliant! That is all it was. It had not occured to me that a daemon was involved and might not be running; normally when daemons are installed, they are started.

Testing M6x64 post update: memcached-1.4.39-1.mga6

 # systemctl enable memcached@11211
Created symlink /etc/systemd/system/memcached.target.wants/memcached@11211.service → /usr/lib/systemd/system/memcached@.service.
 # systemctl start memcached@11211
 # systemctl status memcached@11211
● memcached@11211.service - Memcached NoSQL key+value store on port 11211
   Loaded: loaded (/usr/lib/systemd/system/memcached@.service; enabled; vendor p
   Active: active (running) since Iau 2017-11-30 10:54:24 CET; 24s ago
...
 $ php memcachedtest.php
 my test data : SUCCESS
So thanks to PC_LX, a Mageia 6 OK. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0441.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED