sts-sponsors team mailing list archive

Thread
Date

[Bug 1573594] [NEW] Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS response handling

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1573594@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Jan 2019 18:14:56 -0000
Reply-to: Bug 1573594 <1573594@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Ioanna Alifieraki (joalif):

[Impact]

When connecting to a server using SASL,
memcached_sasl_authenticate_connection() reads the list of supported
mechanisms [1] from the server via the command
PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string
containing supported authentication mechanisms, which gets stored into
the (uninitialized) destination buffer without null termination [2].

The buffer then gets passed to sasl_client_start [3] which treats it as
a null-terminated string [4], reading uninitialised bytes in the buffer.

As the buffer lives on the stack, an attacker that can put strings on
the stack before the connection gets made, might be able to tamper with
the authentication.

[1] libmemcached/sasl.cc:174
[2] libmemcached/response.cc:619
[1] libmemcached/sasl.cc:231
[3] http://linux.die.net/man/3/sasl_client_start


[Test Case]

There is no known reliable reproducer.


[Regression Potential]

This fix initialises the buffer to 0.
Any potential regression may include failure of the authentication when using SASL.


[Other Info]

This bug affects trusty and later.

** Affects: libmemcached
     Importance: Undecided
         Status: New

** Affects: libmemcached (Ubuntu)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: In Progress

** Affects: libmemcached (Ubuntu Trusty)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: In Progress

** Affects: libmemcached (Ubuntu Xenial)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: In Progress

** Affects: libmemcached (Ubuntu Bionic)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: In Progress

** Affects: libmemcached (Ubuntu Cosmic)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: In Progress

** Affects: libmemcached (Ubuntu Disco)
     Importance: Medium
     Assignee: Ioanna Alifieraki (joalif)
         Status: In Progress


** Tags: sts sts-sponsor
-- 
Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS response handling
https://bugs.launchpad.net/bugs/1573594
You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report.