Hi,
The following diff fixes CVE-2011-4971 and CVE-2013-0179 for 5.4-STABLE.
They are respectively fixed in Memcached 1.4.16 and 1.4.17 upstream, but
I'm avoiding the update here because I'm targeting -STABLE, and 1.4.15
made things "more experimental" so 1.4.17 might not be ready yet.
These fixes come from Debian Wheezy, which applied them for
Memcached 1.4.13. Debian also has a patch for CVE-2013-7239, but this
is for SASL which isn't enabled here.
Some links from upstream:
https://code.google.com/p/memcached/issues/detail?id=192
https://code.google.com/p/memcached/issues/detail?id=306
The diff probably applies cleanly for -current as well (MASTER_SITES was
the only change AFAICS).
Index: Makefile
===================================================================
RCS file: /cvs/ports/misc/memcached/Makefile,v
retrieving revision 1.22
diff -u -p -r1.22 Makefile
--- Makefile 25 Apr 2013 21:33:21 -0000 1.22
+++ Makefile 2 Jan 2014 16:14:48 -0000
@@ -2,8 +2,8 @@
COMMENT= distributed memory object caching system
-DISTNAME = memcached-1.4.14
-REVISION = 0
+DISTNAME= memcached-1.4.14
+REVISION= 1
CATEGORIES= misc
HOMEPAGE= http://www.memcached.org/
Index: patches/patch-items_c
===================================================================
RCS file: /cvs/ports/misc/memcached/patches/patch-items_c,v
retrieving revision 1.5
diff -u -p -r1.5 patch-items_c
--- patches/patch-items_c 25 Apr 2013 21:33:21 -0000 1.5
+++ patches/patch-items_c 2 Jan 2014 16:14:48 -0000
@@ -1,6 +1,11 @@
$OpenBSD: patch-items_c,v 1.5 2013/04/25 21:33:21 sthen Exp $
---- items.c.orig Thu Apr 25 22:31:03 2013
-+++ items.c Thu Apr 25 22:31:47 2013
+
+printf format string fix for long long time_t
+
+and fix buffer-overrun when logging keys (CVE-2013-0179)
+
+--- items.c.orig Mon Jul 30 22:23:37 2012
++++ items.c Thu Jan 2 17:02:16 2014
@@ -389,9 +389,9 @@ char *do_item_cachedump(const unsigned int slabs_clsid
/* Copy the key since it may not be null-terminated in the struct */
strncpy(key_temp, ITEM_key(it), it->nkey);
@@ -13,3 +18,23 @@ $OpenBSD: patch-items_c,v 1.5 2013/04/25
if (bufcurr + len + 6 > memlimit) /* 6 is END\r\n\0 */
break;
memcpy(buffer + bufcurr, temp, len);
+@@ -510,9 +510,17 @@ item *do_item_get(const char *key, const size_t nkey,
+
+ if (settings.verbose > 2) {
+ if (it == NULL) {
+- fprintf(stderr, "> NOT FOUND %s", key);
++ int ii;
++ fprintf(stderr, "> NOT FOUND ");
++ for (ii = 0; ii < nkey; ++ii) {
++ fprintf(stderr, "%c", key[ii]);
++ }
+ } else {
+- fprintf(stderr, "> FOUND KEY %s", ITEM_key(it));
++ int ii;
++ fprintf(stderr, "> FOUND KEY ");
++ for (ii = 0; ii < it->nkey; ++ii) {
++ fprintf(stderr, "%c", ITEM_key(it)[ii]);
++ }
+ was_found++;
+ }
+ }
Index: patches/patch-memcached_c
===================================================================
RCS file: patches/patch-memcached_c
diff -N patches/patch-memcached_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-memcached_c 2 Jan 2014 16:14:48 -0000
@@ -0,0 +1,39 @@
+$OpenBSD$
+
+buffer-overrun when logging keys (CVE-2013-0179)
+
+and fix segfault on specially crafted packet (CVE-2011-4971)
+
+--- memcached.c.orig Mon Jul 30 22:26:47 2012
++++ memcached.c Thu Jan 2 16:59:32 2014
+@@ -2149,7 +2149,12 @@ static void process_bin_delete(conn *c) {
+ assert(c != NULL);
+
+ if (settings.verbose > 1) {
+- fprintf(stderr, "Deleting %s\n", key);
++ int ii;
++ fprintf(stderr, "Deleting ");
++ for (ii = 0; ii < nkey; ++ii) {
++ fprintf(stderr, "%c", key[ii]);
++ }
++ fprintf(stderr, "\n");
+ }
+
+ if (settings.detail_enabled) {
+@@ -3863,6 +3868,16 @@ static void drive_machine(conn *c) {
+ complete_nread(c);
+ break;
+ }
++
++ /* Check if rbytes < 0, to prevent crash */
++ if (c->rlbytes < 0) {
++ if (settings.verbose) {
++ fprintf(stderr, "Invalid rlbytes to read: len %d\n",
c->rlbytes);
++ }
++ conn_set_state(c, conn_closing);
++ break;
++ }
++
+ /* first check if we have leftovers in the conn_read buffer */
+ if (c->rbytes > 0) {
+ int tocopy = c->rbytes > c->rlbytes ? c->rlbytes : c->rbytes;
Index: patches/patch-t_issue_192_t
===================================================================
RCS file: patches/patch-t_issue_192_t
diff -N patches/patch-t_issue_192_t
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-t_issue_192_t 2 Jan 2014 16:14:48 -0000
@@ -0,0 +1,27 @@
+$OpenBSD$
+
+Test case for CVE-2011-4971
+
+--- t/issue_192.t.orig Thu Jan 2 16:48:36 2014
++++ t/issue_192.t Thu Jan 2 16:48:36 2014
+@@ -0,0 +1,20 @@
++#!/usr/bin/perl
++
++use strict;
++use Test::More tests => 2;
++use FindBin qw($Bin);
++use lib "$Bin/lib";
++use MemcachedTest;
++
++my $server = new_memcached();
++my $sock = $server->sock;
++
++ok($server->new_sock, "opened new socket");
++
++print $sock
"\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
++
++sleep 0.5;
++ok($server->new_sock, "failed to open new socket");
++
++
++
