group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1573594] Re: Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS response handling

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Dan Streetman <dan.streetman@xxxxxxxxxxxxx>
Date: Thu, 17 Jan 2019 17:37:41 -0000
Reply-to: Bug 1573594 <1573594@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: libmemcached (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: libmemcached (Ubuntu Cosmic)
   Importance: Undecided
       Status: New

** Also affects: libmemcached (Ubuntu Disco)
   Importance: Undecided
     Assignee: Ioanna Alifieraki (joalif)
       Status: In Progress

** Also affects: libmemcached (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: libmemcached (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1573594

Title:
  Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS
  response handling

Status in libmemcached:
  New
Status in libmemcached package in Ubuntu:
  In Progress
Status in libmemcached source package in Trusty:
  In Progress
Status in libmemcached source package in Xenial:
  In Progress
Status in libmemcached source package in Bionic:
  In Progress
Status in libmemcached source package in Cosmic:
  In Progress
Status in libmemcached source package in Disco:
  In Progress

Bug description:
  When connecting to a server using SASL,
  memcached_sasl_authenticate_connection() reads the list of supported
  mechanisms [1] from the server via the command
  PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string
  containing supported authentication mechanisms, which gets stored into
  the (uninitialized) destination buffer without null termination [2].

  The buffer then gets passed to sasl_client_start [3] which treats it
  as a null-terminated string [4], reading uninitialized bytes in the
  buffer.

  As the buffer lives on the stack, an attacker that can put strings on
  the stack before the connection gets made, might be able to tamper
  with the authentication.

  [1] libmemcached/sasl.cc:174
  [2] libmemcached/response.cc:619
  [1] libmemcached/sasl.cc:231
  [3] http://linux.die.net/man/3/sasl_client_start

To manage notifications about this bug go to:
https://bugs.launchpad.net/libmemcached/+bug/1573594/+subscriptions