Bug 25267

Summary: memcached new security issue CVE-2019-11596
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, marja11, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK
Source RPM: memcached-1.5.10-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-08-11 21:02:13 CEST 
Ubuntu has issued an advisory on May 1:
https://usn.ubuntu.com/3963-1/

The issue is fixed upstream in 1.5.14.

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-11 21:02:20 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-11 22:26:55 CEST 
Assigning to our registered memcached maintainer.

CC: (none) => marja11
Assignee: bugsquad => mageia

Comment 2 Marc Krämer 2019-08-11 22:51:56 CEST 
Updated memcached packages fix security vulnerabilities:

In memcached before 1.5.14, a NULL pointer dereference was found in the
"lru mode" and "lru temp_ttl" commands. This causes a denial of service
when parsing crafted lru command messages in process_lru_command in
memcached.c.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11596
https://usn.ubuntu.com/usn/usn-3963-1
========================

Updated packages in core/updates_testing:
========================
mga6:
memcached-1.5.16-1.mga6
memcached-devel-1.5.16-1.mga6
memcached-debuginfo-1.5.16-1.mga6

mga7:
memcached-1.5.16-1.mga7
memcached-devel-1.5.16-1.mga7
memcached-debugsource-1.5.16-1.mga7
memcached-debuginfo-1.5.16-1.mga7

Source RPMs:
memcached-1.5.16-1.mga6.src.rpm
memcached-1.5.16-1.mga7.src.rpm

Assignee: mageia => qa-bugs

David Walser 2019-08-11 22:57:59 CEST

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
CC: (none) => mageia

Comment 3 Len Lawrence 2019-08-28 18:49:06 CEST 
mga7, x86_64

Installed memcached and netcat.

Reproducer:
CVE-2019-11596
https://github.com/memcached/memcached/issues/474

Started memcached in a terminal then in another issued this command:
$ echo -n "bHJ1IG1vZGUKb7G0AGxydWRl6gdtTk9UXw==" | base64 -d | nc 127.0.0.1 11211

$ memcached
Segmentation fault (core dumped)

$ urpmq --whatrequires memcached
memcached
memcached-devel
sogo

Installed sogo and researched it online.  It is a groupware server so this goes no further.  Using the PoC as the sole test of this package.

Ran the update, ignoring the debug packages.
$ rpm -qa | grep memcached
memcached-1.5.16-1.mga7
lib64memcached11-1.0.18-5.mga7
memcached-devel-1.5.16-1.mga7

Started memcached in a terminal.
In another terminal:
$ echo -n "bHJ1IG1vZGUKb7G0AGxydWRl6gdtTk9UXw==" | base64 -d | nc 127.0.0.1 11211
ERROR
Ctrl-C
$
memcached continued running.

Clean update and evidence that the patch works.

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-08-28 19:22:29 CEST 
mga6, x86_64

Installed memcached and memcached-devel.
Executed the PoC exactly as in comment 3 with the expected result - memcached segfaulted.

After the update the PoC generated an ERROR message at the client end and memcached continued running.
$ rpm -qa | grep memcached
memcached-devel-1.5.16-1.mga6
memcached-1.5.16-1.mga6

Good for 64bits.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK

Thomas Backlund 2019-08-31 12:57:58 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 5 Mageia Robot 2019-08-31 15:24:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0232.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED