Hi Attached is a preliminary debdiff for fixing both issues.
Regards, Salvatore
diff -Nru memcached-1.4.13/debian/changelog memcached-1.4.13/debian/changelog --- memcached-1.4.13/debian/changelog 2013-01-23 21:22:12.000000000 +0100 +++ memcached-1.4.13/debian/changelog 2013-12-30 17:58:45.000000000 +0100 @@ -1,3 +1,15 @@ +memcached (1.4.13-0.3) unstable; urgency=high + + * Non-maintainer upload. + * Add 06_CVE-2011-4971.patch patch. + CVE-2011-4971: Fix remote denial of service. Sending a specially + crafted packet cause memcached to segfault. (Closes: #706426) + * Add 07_CVE-2013-7239.patch patch. + CVE-2013-7239: SASL authentication allows wrong credentials to access + memcache. (Closes: #733643) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 30 Dec 2013 17:47:44 +0100 + memcached (1.4.13-0.2) unstable; urgency=low * Non-maintainer upload. diff -Nru memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch --- memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 1970-01-01 01:00:00.000000000 +0100 +++ memcached-1.4.13/debian/patches/06_CVE-2011-4971.patch 2013-12-30 17:58:45.000000000 +0100 @@ -0,0 +1,54 @@ +Description: Fix segfault on specially crafted packet + CVE-2011-4971: remote denial of service +Origin: upstream, http://github.com/memcached/memcached/commit/6695ccbc525c36d693aaa3e8337b36aa0c784424 +Bug: https://code.google.com/p/memcached/issues/detail?id=192 +Bug-Debian: http://bugs.debian.org/706426 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=957964 +Forwarded: not-needed +Author: Huzaifa Sidhpurwala <huzai...@redhat.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-12-29 +Applied-Upstream: 1.4.16 + +--- a/memcached.c ++++ b/memcached.c +@@ -3874,6 +3874,16 @@ + complete_nread(c); + break; + } ++ ++ /* Check if rbytes < 0, to prevent crash */ ++ if (c->rlbytes < 0) { ++ if (settings.verbose) { ++ fprintf(stderr, "Invalid rlbytes to read: len %d\n", c->rlbytes); ++ } ++ conn_set_state(c, conn_closing); ++ break; ++ } ++ + /* first check if we have leftovers in the conn_read buffer */ + if (c->rbytes > 0) { + int tocopy = c->rbytes > c->rlbytes ? c->rlbytes : c->rbytes; +--- /dev/null ++++ b/t/issue_192.t +@@ -0,0 +1,20 @@ ++#!/usr/bin/perl ++ ++use strict; ++use Test::More tests => 2; ++use FindBin qw($Bin); ++use lib "$Bin/lib"; ++use MemcachedTest; ++ ++my $server = new_memcached(); ++my $sock = $server->sock; ++ ++ok($server->new_sock, "opened new socket"); ++ ++print $sock "\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; ++ ++sleep 0.5; ++ok($server->new_sock, "failed to open new socket"); ++ ++ ++ diff -Nru memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch --- memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 1970-01-01 01:00:00.000000000 +0100 +++ memcached-1.4.13/debian/patches/07_CVE-2013-7239.patch 2013-12-30 17:58:45.000000000 +0100 @@ -0,0 +1,122 @@ +Description: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache + It was previously possible to bypass authentication due to implicit + state management. Now we explicitly consider ourselves + unauthenticated on any new connections and authentication attempts. +Origin: upstream, https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32 +Bug: https://code.google.com/p/memcached/issues/detail?id=316 +Bug-Debian: http://bugs.debian.org/733643 +Forwarded: not-needed +Last-Update: 2013-12-30 +Applied-Upstream: 1.4.17 + +--- a/memcached.c ++++ b/memcached.c +@@ -442,6 +442,7 @@ + c->iovused = 0; + c->msgcurr = 0; + c->msgused = 0; ++ c->authenticated = false; + + c->write_and_go = init_state; + c->write_and_free = 0; +@@ -1602,6 +1603,8 @@ + if (!settings.sasl) + return; + ++ c->authenticated = false; ++ + if (!c->sasl_conn) { + int result=sasl_server_new("memcached", + NULL, +@@ -1736,6 +1739,7 @@ + + switch(result) { + case SASL_OK: ++ c->authenticated = true; + write_bin_response(c, "Authenticated", 0, 0, strlen("Authenticated")); + pthread_mutex_lock(&c->thread->stats.mutex); + c->thread->stats.auth_cmds++; +@@ -1772,11 +1776,7 @@ + rv = true; + break; + default: +- if (c->sasl_conn) { +- const void *uname = NULL; +- sasl_getprop(c->sasl_conn, SASL_USERNAME, &uname); +- rv = uname != NULL; +- } ++ rv = c->authenticated; + } + + if (settings.verbose > 1) { +--- a/memcached.h ++++ b/memcached.h +@@ -367,6 +367,7 @@ + struct conn { + int sfd; + sasl_conn_t *sasl_conn; ++ bool authenticated; + enum conn_states state; + enum bin_substates substate; + struct event event; +--- a/t/binary-sasl.t ++++ b/t/binary-sasl.t +@@ -13,7 +13,7 @@ + + if (supports_sasl()) { + if ($ENV{'RUN_SASL_TESTS'}) { +- plan tests => 25; ++ plan tests => 33; + } else { + plan skip_all => 'Skipping SASL tests'; + exit 0; +@@ -229,6 +229,38 @@ + } + $empty->('x'); + ++{ ++ my $mc = MC::Client->new; ++ ++ # Attempt bad authentication. ++ is ($mc->authenticate('testuser', 'wrongpassword'), 0x20, "bad auth"); ++ ++ # This should fail because $mc is not authenticated ++ my ($status, $val)= $mc->set('x', "somevalue"); ++ ok($status, "this fails to authenticate"); ++ cmp_ok($status,'==',ERR_AUTH_ERROR, "error code matches"); ++} ++$empty->('x', 'somevalue'); ++ ++{ ++ my $mc = MC::Client->new; ++ ++ # Attempt bad authentication. ++ is ($mc->authenticate('testuser', 'wrongpassword'), 0x20, "bad auth"); ++ ++ # Mix an authenticated connection and an unauthenticated connection to ++ # confirm c->authenticated is not shared among connections ++ my $mc2 = MC::Client->new; ++ is ($mc2->authenticate('testuser', 'testpass'), 0, "authenticated"); ++ my ($status, $val)= $mc2->set('x', "somevalue"); ++ ok(! $status); ++ ++ # This should fail because $mc is not authenticated ++ ($status, $val)= $mc->set('x', "somevalue"); ++ ok($status, "this fails to authenticate"); ++ cmp_ok($status,'==',ERR_AUTH_ERROR, "error code matches"); ++} ++ + # check the SASL stats, make sure they track things correctly + # note: the enabled or not is presence checked in stats.t + +@@ -241,8 +273,8 @@ + + { + my %stats = $mc->stats(''); +- is ($stats{'auth_cmds'}, 2, "auth commands counted"); +- is ($stats{'auth_errors'}, 1, "auth errors correct"); ++ is ($stats{'auth_cmds'}, 5, "auth commands counted"); ++ is ($stats{'auth_errors'}, 3, "auth errors correct"); + } + + diff -Nru memcached-1.4.13/debian/patches/series memcached-1.4.13/debian/patches/series --- memcached-1.4.13/debian/patches/series 2013-01-20 15:51:34.000000000 +0100 +++ memcached-1.4.13/debian/patches/series 2013-12-30 17:58:45.000000000 +0100 @@ -3,3 +3,5 @@ 03_fix_ftbfs4hurd.patch 04_add_init_retry.patch 05_fix-buffer-overrun_when_logging_keys.patch +06_CVE-2011-4971.patch +07_CVE-2013-7239.patch
