Hi, The following diff fixes CVE-2011-4971 and CVE-2013-0179 for 5.4-STABLE. They are respectively fixed in Memcached 1.4.16 and 1.4.17 upstream, but I'm avoiding the update here because I'm targeting -STABLE, and 1.4.15 made things "more experimental" so 1.4.17 might not be ready yet.
These fixes come from Debian Wheezy, which applied them for Memcached 1.4.13. Debian also has a patch for CVE-2013-7239, but this is for SASL which isn't enabled here. Some links from upstream: https://code.google.com/p/memcached/issues/detail?id=192 https://code.google.com/p/memcached/issues/detail?id=306 The diff probably applies cleanly for -current as well (MASTER_SITES was the only change AFAICS). Index: Makefile =================================================================== RCS file: /cvs/ports/misc/memcached/Makefile,v retrieving revision 1.22 diff -u -p -r1.22 Makefile --- Makefile 25 Apr 2013 21:33:21 -0000 1.22 +++ Makefile 2 Jan 2014 16:14:48 -0000 @@ -2,8 +2,8 @@ COMMENT= distributed memory object caching system -DISTNAME = memcached-1.4.14 -REVISION = 0 +DISTNAME= memcached-1.4.14 +REVISION= 1 CATEGORIES= misc HOMEPAGE= http://www.memcached.org/ Index: patches/patch-items_c =================================================================== RCS file: /cvs/ports/misc/memcached/patches/patch-items_c,v retrieving revision 1.5 diff -u -p -r1.5 patch-items_c --- patches/patch-items_c 25 Apr 2013 21:33:21 -0000 1.5 +++ patches/patch-items_c 2 Jan 2014 16:14:48 -0000 @@ -1,6 +1,11 @@ $OpenBSD: patch-items_c,v 1.5 2013/04/25 21:33:21 sthen Exp $ ---- items.c.orig Thu Apr 25 22:31:03 2013 -+++ items.c Thu Apr 25 22:31:47 2013 + +printf format string fix for long long time_t + +and fix buffer-overrun when logging keys (CVE-2013-0179) + +--- items.c.orig Mon Jul 30 22:23:37 2012 ++++ items.c Thu Jan 2 17:02:16 2014 @@ -389,9 +389,9 @@ char *do_item_cachedump(const unsigned int slabs_clsid /* Copy the key since it may not be null-terminated in the struct */ strncpy(key_temp, ITEM_key(it), it->nkey); @@ -13,3 +18,23 @@ $OpenBSD: patch-items_c,v 1.5 2013/04/25 if (bufcurr + len + 6 > memlimit) /* 6 is END\r\n\0 */ break; memcpy(buffer + bufcurr, temp, len); +@@ -510,9 +510,17 @@ item *do_item_get(const char *key, const size_t nkey, + + if (settings.verbose > 2) { + if (it == NULL) { +- fprintf(stderr, "> NOT FOUND %s", key); ++ int ii; ++ fprintf(stderr, "> NOT FOUND "); ++ for (ii = 0; ii < nkey; ++ii) { ++ fprintf(stderr, "%c", key[ii]); ++ } + } else { +- fprintf(stderr, "> FOUND KEY %s", ITEM_key(it)); ++ int ii; ++ fprintf(stderr, "> FOUND KEY "); ++ for (ii = 0; ii < it->nkey; ++ii) { ++ fprintf(stderr, "%c", ITEM_key(it)[ii]); ++ } + was_found++; + } + } Index: patches/patch-memcached_c =================================================================== RCS file: patches/patch-memcached_c diff -N patches/patch-memcached_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-memcached_c 2 Jan 2014 16:14:48 -0000 @@ -0,0 +1,39 @@ +$OpenBSD$ + +buffer-overrun when logging keys (CVE-2013-0179) + +and fix segfault on specially crafted packet (CVE-2011-4971) + +--- memcached.c.orig Mon Jul 30 22:26:47 2012 ++++ memcached.c Thu Jan 2 16:59:32 2014 +@@ -2149,7 +2149,12 @@ static void process_bin_delete(conn *c) { + assert(c != NULL); + + if (settings.verbose > 1) { +- fprintf(stderr, "Deleting %s\n", key); ++ int ii; ++ fprintf(stderr, "Deleting "); ++ for (ii = 0; ii < nkey; ++ii) { ++ fprintf(stderr, "%c", key[ii]); ++ } ++ fprintf(stderr, "\n"); + } + + if (settings.detail_enabled) { +@@ -3863,6 +3868,16 @@ static void drive_machine(conn *c) { + complete_nread(c); + break; + } ++ ++ /* Check if rbytes < 0, to prevent crash */ ++ if (c->rlbytes < 0) { ++ if (settings.verbose) { ++ fprintf(stderr, "Invalid rlbytes to read: len %d\n", c->rlbytes); ++ } ++ conn_set_state(c, conn_closing); ++ break; ++ } ++ + /* first check if we have leftovers in the conn_read buffer */ + if (c->rbytes > 0) { + int tocopy = c->rbytes > c->rlbytes ? c->rlbytes : c->rbytes; Index: patches/patch-t_issue_192_t =================================================================== RCS file: patches/patch-t_issue_192_t diff -N patches/patch-t_issue_192_t --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-t_issue_192_t 2 Jan 2014 16:14:48 -0000 @@ -0,0 +1,27 @@ +$OpenBSD$ + +Test case for CVE-2011-4971 + +--- t/issue_192.t.orig Thu Jan 2 16:48:36 2014 ++++ t/issue_192.t Thu Jan 2 16:48:36 2014 +@@ -0,0 +1,20 @@ ++#!/usr/bin/perl ++ ++use strict; ++use Test::More tests => 2; ++use FindBin qw($Bin); ++use lib "$Bin/lib"; ++use MemcachedTest; ++ ++my $server = new_memcached(); ++my $sock = $server->sock; ++ ++ok($server->new_sock, "opened new socket"); ++ ++print $sock "\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; ++ ++sleep 0.5; ++ok($server->new_sock, "failed to open new socket"); ++ ++ ++