import UBI memcached-1.6.23-7.el10_2.1

This commit is contained in:
AlmaLinux RelEng Bot 2026-06-22 12:15:56 -04:00
parent 032a03d3f9
commit 1b987fa3c3
2 changed files with 70 additions and 1 deletions

View File

@ -0,0 +1,59 @@
From 8310a257d539f7c68425914bd812d71c41365739 Mon Sep 17 00:00:00 2001
From: Sarthak Munshi <sarthakmunshi@gmail.com>
Date: Sat, 21 Mar 2026 15:20:25 -0700
Subject: [PATCH] Fix timing side-channel in SASL password database
authentication
sasl_server_userdb_checkpass() broke out of the password file loop
early when a valid username was found, creating a measurable timing
difference between valid and invalid usernames. Additionally, the
password comparison used memcmp() which returns early on the first
differing byte, potentially leaking password bytes via timing analysis.
Fix both issues with minimal changes per reviewer feedback:
- Clear buffer to zero before each fgets so comparisons past the
stored password hit known zero bytes
- Use safe_memcmp() for both username and password comparisons
(constant-time, volatile-qualified)
- Remove the early break so the entire file is always scanned
---
sasl_defs.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/sasl_defs.c b/sasl_defs.c
index e73a570..98a1f75 100644
--- a/sasl_defs.c
+++ b/sasl_defs.c
@@ -71,19 +71,18 @@ static int sasl_server_userdb_checkpass(sasl_conn_t *conn,
char buffer[MAX_ENTRY_LEN];
bool ok = false;
- while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) {
- if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') {
- /* This is the correct user */
- ++unmlen;
- if (memcmp(pass, buffer + unmlen, passlen) == 0 &&
- (buffer[unmlen + passlen] == ':' || /* Additional tokens */
- buffer[unmlen + passlen] == '\n' || /* end of line */
- buffer[unmlen + passlen] == '\r'|| /* dos format? */
- buffer[unmlen + passlen] == '\0')) { /* line truncated */
+ while (1) {
+ memset(buffer, 0, sizeof(buffer));
+ if (fgets(buffer, sizeof(buffer), pwfile) == NULL)
+ break;
+ if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') {
+ if (safe_memcmp(pass, buffer + unmlen + 1, passlen) &&
+ (buffer[unmlen + 1 + passlen] == ':' ||
+ buffer[unmlen + 1 + passlen] == '\n' ||
+ buffer[unmlen + 1 + passlen] == '\r' ||
+ buffer[unmlen + 1 + passlen] == '\0')) {
ok = true;
}
-
- break;
}
}
(void)fclose(pwfile);
--
2.52.0

View File

@ -12,7 +12,7 @@
Name: memcached
Version: 1.6.23
Release: 7%{?dist}
Release: 7%{?dist}.1
Epoch: 0
Summary: High Performance, Distributed Memory Object Cache
@ -26,6 +26,10 @@ Source3: memcached.conf
Patch1: memcached-unit.patch
# https://issues.redhat.com/browse/RHEL-179083
# https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed
Patch2: memcached-1.6.23-CVE-2026-47783.patch
BuildRequires: make
BuildRequires: gcc libevent-devel systemd
BuildRequires: perl-generators
@ -71,6 +75,7 @@ optimised for use with this version of memcached.
# and SELinux policy sources into memcached-selinux-X.X
%setup -q -b 2
%patch 1 -p1 -b .unit
%patch 2 -p1 -b .CVE-2026-47783
%build
%configure \
@ -174,6 +179,11 @@ fi
%license ../%{selinuxmoduledir}/COPYING
%changelog
* Fri Jun 12 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 0:1.6.23-7.1
- Fix timing side-channel in SASL password database authentication
(CVE-2026-47783)
- Resolves: RHEL-179083
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0:1.6.23-7
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018