import UBI memcached-1.6.23-7.el10_2.1
This commit is contained in:
parent
032a03d3f9
commit
1b987fa3c3
59
memcached-1.6.23-CVE-2026-47783.patch
Normal file
59
memcached-1.6.23-CVE-2026-47783.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From 8310a257d539f7c68425914bd812d71c41365739 Mon Sep 17 00:00:00 2001
|
||||
From: Sarthak Munshi <sarthakmunshi@gmail.com>
|
||||
Date: Sat, 21 Mar 2026 15:20:25 -0700
|
||||
Subject: [PATCH] Fix timing side-channel in SASL password database
|
||||
authentication
|
||||
|
||||
sasl_server_userdb_checkpass() broke out of the password file loop
|
||||
early when a valid username was found, creating a measurable timing
|
||||
difference between valid and invalid usernames. Additionally, the
|
||||
password comparison used memcmp() which returns early on the first
|
||||
differing byte, potentially leaking password bytes via timing analysis.
|
||||
|
||||
Fix both issues with minimal changes per reviewer feedback:
|
||||
- Clear buffer to zero before each fgets so comparisons past the
|
||||
stored password hit known zero bytes
|
||||
- Use safe_memcmp() for both username and password comparisons
|
||||
(constant-time, volatile-qualified)
|
||||
- Remove the early break so the entire file is always scanned
|
||||
---
|
||||
sasl_defs.c | 21 ++++++++++-----------
|
||||
1 file changed, 10 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/sasl_defs.c b/sasl_defs.c
|
||||
index e73a570..98a1f75 100644
|
||||
--- a/sasl_defs.c
|
||||
+++ b/sasl_defs.c
|
||||
@@ -71,19 +71,18 @@ static int sasl_server_userdb_checkpass(sasl_conn_t *conn,
|
||||
char buffer[MAX_ENTRY_LEN];
|
||||
bool ok = false;
|
||||
|
||||
- while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) {
|
||||
- if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') {
|
||||
- /* This is the correct user */
|
||||
- ++unmlen;
|
||||
- if (memcmp(pass, buffer + unmlen, passlen) == 0 &&
|
||||
- (buffer[unmlen + passlen] == ':' || /* Additional tokens */
|
||||
- buffer[unmlen + passlen] == '\n' || /* end of line */
|
||||
- buffer[unmlen + passlen] == '\r'|| /* dos format? */
|
||||
- buffer[unmlen + passlen] == '\0')) { /* line truncated */
|
||||
+ while (1) {
|
||||
+ memset(buffer, 0, sizeof(buffer));
|
||||
+ if (fgets(buffer, sizeof(buffer), pwfile) == NULL)
|
||||
+ break;
|
||||
+ if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') {
|
||||
+ if (safe_memcmp(pass, buffer + unmlen + 1, passlen) &&
|
||||
+ (buffer[unmlen + 1 + passlen] == ':' ||
|
||||
+ buffer[unmlen + 1 + passlen] == '\n' ||
|
||||
+ buffer[unmlen + 1 + passlen] == '\r' ||
|
||||
+ buffer[unmlen + 1 + passlen] == '\0')) {
|
||||
ok = true;
|
||||
}
|
||||
-
|
||||
- break;
|
||||
}
|
||||
}
|
||||
(void)fclose(pwfile);
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
|
||||
Name: memcached
|
||||
Version: 1.6.23
|
||||
Release: 7%{?dist}
|
||||
Release: 7%{?dist}.1
|
||||
Epoch: 0
|
||||
Summary: High Performance, Distributed Memory Object Cache
|
||||
|
||||
@ -26,6 +26,10 @@ Source3: memcached.conf
|
||||
|
||||
Patch1: memcached-unit.patch
|
||||
|
||||
# https://issues.redhat.com/browse/RHEL-179083
|
||||
# https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed
|
||||
Patch2: memcached-1.6.23-CVE-2026-47783.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc libevent-devel systemd
|
||||
BuildRequires: perl-generators
|
||||
@ -71,6 +75,7 @@ optimised for use with this version of memcached.
|
||||
# and SELinux policy sources into memcached-selinux-X.X
|
||||
%setup -q -b 2
|
||||
%patch 1 -p1 -b .unit
|
||||
%patch 2 -p1 -b .CVE-2026-47783
|
||||
|
||||
%build
|
||||
%configure \
|
||||
@ -174,6 +179,11 @@ fi
|
||||
%license ../%{selinuxmoduledir}/COPYING
|
||||
|
||||
%changelog
|
||||
* Fri Jun 12 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 0:1.6.23-7.1
|
||||
- Fix timing side-channel in SASL password database authentication
|
||||
(CVE-2026-47783)
|
||||
- Resolves: RHEL-179083
|
||||
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0:1.6.23-7
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
||||
Loading…
Reference in New Issue
Block a user