rpms/memcached/F-11 memcached-1.2.8_proper_vlen_fix.patch, NONE, 1.1 memcached.spec, 1.15, 1.16

Paul Lindner plindner at fedoraproject.org
Tue Dec 1 09:19:28 UTC 2009 

Author: plindner

Update of /cvs/pkgs/rpms/memcached/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28617

Modified Files:
	memcached.spec 
Added Files:
	memcached-1.2.8_proper_vlen_fix.patch 
Log Message:
CVE-2009-2415, Resolve 542058

memcached-1.2.8_proper_vlen_fix.patch:
 memcached.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- NEW FILE memcached-1.2.8_proper_vlen_fix.patch ---
diff --git a/memcached.c b/memcached.c
index 097588a..cbbbf48 100644
--- a/memcached.c
+++ b/memcached.c
@@ -1388,7 +1388,7 @@ static void process_update_command(conn *c, token_t *tokens, const size_t ntoken
 
     flags = strtoul(tokens[2].value, NULL, 10);
     exptime = strtol(tokens[3].value, NULL, 10);
-    vlen = strtol(tokens[4].value, NULL, 10);
+    vlen = strtol(tokens[4].value, NULL, 10) + 2;
 
     // does cas value exist?
     if(handle_cas)
@@ -1397,7 +1397,7 @@ static void process_update_command(conn *c, token_t *tokens, const size_t ntoken
     }
 
     if(errno == ERANGE || ((flags == 0 || exptime == 0) && errno == EINVAL)
-       || vlen < 0) {
+       || vlen < 0 || vlen - 2 < 0) {
         out_string(c, "CLIENT_ERROR bad command line format");
         return;
     }
@@ -1406,16 +1406,16 @@ static void process_update_command(conn *c, token_t *tokens, const size_t ntoken
         stats_prefix_record_set(key);
     }
 
-    it = item_alloc(key, nkey, flags, realtime(exptime), vlen+2);
+    it = item_alloc(key, nkey, flags, realtime(exptime), vlen);
 
     if (it == 0) {
-        if (! item_size_ok(nkey, flags, vlen + 2))
+        if (! item_size_ok(nkey, flags, vlen))
             out_string(c, "SERVER_ERROR object too large for cache");
         else
             out_string(c, "SERVER_ERROR out of memory storing object");
         /* swallow the data line */
         c->write_and_go = conn_swallow;
-        c->sbytes = vlen + 2;
+        c->sbytes = vlen;
 
         /* Avoid stale data persisting in cache because we failed alloc.
          * Unacceptable for SET. Anywhere else too? */


Index: memcached.spec
===================================================================
RCS file: /cvs/pkgs/rpms/memcached/F-11/memcached.spec,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -p -r1.15 -r1.16
--- memcached.spec	30 Apr 2009 13:06:52 -0000	1.15
+++ memcached.spec	1 Dec 2009 09:19:28 -0000	1.16
@@ -7,7 +7,7 @@
 
 Name:           memcached
 Version:        1.2.8
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        High Performance, Distributed Memory Object Cache
 
 Group:          System Environment/Daemons
@@ -18,6 +18,9 @@ Source0:        http://www.danga.com/mem
 # custom init script
 Source1:        memcached.sysv
 
+# Patch
+Patch:         http://consoleninja.net/code/memcached/memcached-1.2.8_proper_vlen_fix.patch
+
 # SELinux files
 Source10:       %{modulename}.te
 Source11:       %{modulename}.fc
@@ -63,7 +66,7 @@ SELinux policy module supporting memcach
 mkdir SELinux
 cp -p %{SOURCE10} %{SOURCE11} %{SOURCE12} SELinux/
 
-
+%patch -p1
 %build
 %configure --enable-threads
 
@@ -196,6 +199,11 @@ fi
 
 
 %changelog
+* Tue Dec  1 2009 Paul Lindner <lindner at mirth.inuus.com> - 1.2.8-2
+- Apply patch memcached-1.2.8_proper_vlen_fix.patch
+- Addresses CVE-2009-2415
+- Resolves 542058
+
 * Wed Apr 29 2009 Paul Lindner <lindner at inuus.com> - 1.2.8-1
 - Upgrade to memcached-1.2.8
 - Addresses CVE-2009-1255

More information about the scm-commits mailing list