1167522 – (CVE-2020-10931) VUL-0: CVE-2020-10931: memcached: buffer overflow vulnerability may cause DoS in memcached.c:6156-6187

Bug 1167522 (CVE-2020-10931) - VUL-0: CVE-2020-10931: memcached: buffer overflow vulnerability may cause DoS in memcached.c:6156-6187

Summary: VUL-0: CVE-2020-10931: memcached: buffer overflow vulnerability may cause DoS...

Status:	RESOLVED WORKSFORME

Alias:	CVE-2020-10931

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Petr Gajdos
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/255649/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2020-03-24 08:24 UTC by Robert Frohl
Modified:	2020-03-25 12:43 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2020-03-24 08:24:47 UTC

Recently, I revealed a buffer overflow vulnerability which may cause DOS attack. The exploit details can be found as following.
Affect Version

memcached-1.6.0
memcached-1.6.1
Root cause

file location: memcached.c:6156-6187

image
Code Audit

6178   char extbuf[sizeof(c->binary_header) + BIN_MAX_EXTLEN];
6179   memcpy(extbuf + sizeof(c->binary_header), c->rcurr + sizeof(c->binary_header), **extlen**);

in line 6179, since there is no mechanism to verify the parameter's length, in this case, the length of "extlen" when calling memcpy function, It will cause buffer overflow if large value assigned to the extlen variable.

https://github.com/memcached/memcached/issues/629

Comment 1 Robert Frohl 2020-03-24 08:29:13 UTC

patch:
https://github.com/memcached/memcached/commit/02c6a2b62ddcb6fa4569a591d3461a156a636305

Comment 3 Petr Gajdos 2020-03-25 09:09:51 UTC

We do not have 1.6.x anywhere. I have looked on 1.5.17 what we have in Tumbleweed and memcpy in question is not there.

Comment 4 Robert Frohl 2020-03-25 09:42:37 UTC

(In reply to Petr Gajdos from comment #3)
> We do not have 1.6.x anywhere. I have looked on 1.5.17 what we have in
> Tumbleweed and memcpy in question is not there.

Thank you, re-assigning to darix so he can decide what to do for openSUSE.

Comment 5 Petr Gajdos 2020-03-25 11:04:10 UTC

There is nothing urgent to do for openSUSE aside an version update which I am currently working on.

Comment 6 Petr Gajdos 2020-03-25 11:05:01 UTC

(Nevertheless TW/memcached nor any other version is affected by this CVE, as I wrote.)

Comment 7 Petr Gajdos 2020-03-25 12:43:27 UTC

We are not affected by CVE-2020-10931. darix is working on version update for Tumbleweed yet, but this is unrelated to this bug.