diff --git a/memcached-1.6.23-CVE-2026-47783.patch b/memcached-1.6.23-CVE-2026-47783.patch new file mode 100644 index 0000000..bd040cf --- /dev/null +++ b/memcached-1.6.23-CVE-2026-47783.patch @@ -0,0 +1,59 @@ +From 8310a257d539f7c68425914bd812d71c41365739 Mon Sep 17 00:00:00 2001 +From: Sarthak Munshi +Date: Sat, 21 Mar 2026 15:20:25 -0700 +Subject: [PATCH] Fix timing side-channel in SASL password database + authentication + +sasl_server_userdb_checkpass() broke out of the password file loop +early when a valid username was found, creating a measurable timing +difference between valid and invalid usernames. Additionally, the +password comparison used memcmp() which returns early on the first +differing byte, potentially leaking password bytes via timing analysis. + +Fix both issues with minimal changes per reviewer feedback: +- Clear buffer to zero before each fgets so comparisons past the + stored password hit known zero bytes +- Use safe_memcmp() for both username and password comparisons + (constant-time, volatile-qualified) +- Remove the early break so the entire file is always scanned +--- + sasl_defs.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/sasl_defs.c b/sasl_defs.c +index e73a570..98a1f75 100644 +--- a/sasl_defs.c ++++ b/sasl_defs.c +@@ -71,19 +71,18 @@ static int sasl_server_userdb_checkpass(sasl_conn_t *conn, + char buffer[MAX_ENTRY_LEN]; + bool ok = false; + +- while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) { +- if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') { +- /* This is the correct user */ +- ++unmlen; +- if (memcmp(pass, buffer + unmlen, passlen) == 0 && +- (buffer[unmlen + passlen] == ':' || /* Additional tokens */ +- buffer[unmlen + passlen] == '\n' || /* end of line */ +- buffer[unmlen + passlen] == '\r'|| /* dos format? */ +- buffer[unmlen + passlen] == '\0')) { /* line truncated */ ++ while (1) { ++ memset(buffer, 0, sizeof(buffer)); ++ if (fgets(buffer, sizeof(buffer), pwfile) == NULL) ++ break; ++ if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') { ++ if (safe_memcmp(pass, buffer + unmlen + 1, passlen) && ++ (buffer[unmlen + 1 + passlen] == ':' || ++ buffer[unmlen + 1 + passlen] == '\n' || ++ buffer[unmlen + 1 + passlen] == '\r' || ++ buffer[unmlen + 1 + passlen] == '\0')) { + ok = true; + } +- +- break; + } + } + (void)fclose(pwfile); +-- +2.52.0 + diff --git a/memcached.spec b/memcached.spec index ee7a422..4776a43 100644 --- a/memcached.spec +++ b/memcached.spec @@ -12,7 +12,7 @@ Name: memcached Version: 1.6.23 -Release: 7%{?dist} +Release: 7%{?dist}.1 Epoch: 0 Summary: High Performance, Distributed Memory Object Cache @@ -26,6 +26,10 @@ Source3: memcached.conf Patch1: memcached-unit.patch +# https://issues.redhat.com/browse/RHEL-179083 +# https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed +Patch2: memcached-1.6.23-CVE-2026-47783.patch + BuildRequires: make BuildRequires: gcc libevent-devel systemd BuildRequires: perl-generators @@ -71,6 +75,7 @@ optimised for use with this version of memcached. # and SELinux policy sources into memcached-selinux-X.X %setup -q -b 2 %patch 1 -p1 -b .unit +%patch 2 -p1 -b .CVE-2026-47783 %build %configure \ @@ -174,6 +179,11 @@ fi %license ../%{selinuxmoduledir}/COPYING %changelog +* Fri Jun 12 2026 RHEL Packaging Agent - 0:1.6.23-7.1 +- Fix timing side-channel in SASL password database authentication + (CVE-2026-47783) +- Resolves: RHEL-179083 + * Tue Oct 29 2024 Troy Dawson - 0:1.6.23-7 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018