sts-sponsors team mailing list archive

Thread
Date
[Bug 1573594] Re: Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS response handling

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Dan Streetman <dan.streetman@xxxxxxxxxxxxx>
Date: Thu, 17 Jan 2019 20:25:42 -0000
Reply-to: Bug 1573594 <1573594@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hi @joalif,

couple changes needed in the debdiffs, please:

1) the patch "debian/patches/fix_missing_null_termination" has no suffix...
   not a major problem but convention is to suffix it with ".diff" or ".patch"
2) The line in your patch:
+   * Fix missing null terminated buffer. Closes: #853497.
   should be removed; the text is redundant with the line above it, and the
   patch doesn't actually fix Debian bug 853497 (as far as I can tell, at
   least).  Also, Ubuntu debdiffs shouldn't include Debian-specific Closes:
   tags...which leads to:
3) Your changelog entry contains "(Closes: #1573594)", but Ubuntu uses
   "(LP: #NNNNNN)" tag formatting.  Please change your changelog entry to
   include "(LP: #1573594)" instead.
4) All your debdiffs include the same package version: 1.0.18-4.2ubuntu1
   This is a tricky point of pkg versioning; since they are currently
   identical in multiple releases, it's best to use a release-specific
   version number for each of the SRU releases, and only use the "ubuntu1"
   suffix for the development (i.e. disco) release.
   Specifically to clarify:
     release    current version   new version
     Xenial     1.0.18-4.1        1.0.18-4.1ubuntu1
     Bionic     1.0.18-4.2        1.0.18-4.2ubuntu0.18.04.1
     Cosmic     1.0.18-4.2        1.0.18-4.2ubuntu0.18.10.1
     Disco      1.0.18-4.2        1.0.18-4.2ubuntu1

I can make the changes to the debdiffs you already uploaded if you want,
or please upload new debdiffs with the recommended changes.

Thanks!

** Tags removed: sts-sponsor
** Tags added: sts-sponsor-ddstreet

-- 
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1573594

Title:
  Missing null termination in PROTOCOL_BINARY_CMD_SASL_LIST_MECHS
  response handling

Status in libmemcached:
  New
Status in libmemcached package in Ubuntu:
  In Progress
Status in libmemcached source package in Trusty:
  In Progress
Status in libmemcached source package in Xenial:
  In Progress
Status in libmemcached source package in Bionic:
  In Progress
Status in libmemcached source package in Cosmic:
  In Progress
Status in libmemcached source package in Disco:
  In Progress

Bug description:
  [Impact]

  When connecting to a server using SASL,
  memcached_sasl_authenticate_connection() reads the list of supported
  mechanisms [1] from the server via the command
  PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string
  containing supported authentication mechanisms, which gets stored into
  the (uninitialized) destination buffer without null termination [2].

  The buffer then gets passed to sasl_client_start [3] which treats it
  as a null-terminated string [4], reading uninitialised bytes in the
  buffer.

  As the buffer lives on the stack, an attacker that can put strings on
  the stack before the connection gets made, might be able to tamper
  with the authentication.

  [1] libmemcached/sasl.cc:174
  [2] libmemcached/response.cc:619
  [1] libmemcached/sasl.cc:231
  [3] http://linux.die.net/man/3/sasl_client_start

  
  [Test Case]

  There is no known reliable reproducer.

  
  [Regression Potential]

  This fix initialises the buffer to 0.
  Any potential regression may include failure of the authentication when using SASL.

  
  [Other Info]

  This bug affects trusty and later.

To manage notifications about this bug go to:
https://bugs.launchpad.net/libmemcached/+bug/1573594/+subscriptions