rpms/memcached
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2026-47783: SASL timing side-channel in memcached

Browse Source 
Backport upstream fix for CVE-2026-47783 to memcached 1.5.22.
The patch replaces memcmp-based comparisons in sasl_defs.c with
constant-time safe_memcmp() calls and removes early loop exit,
preventing timing side-channel attacks against SASL password
database authentication.

CVE: CVE-2026-47783
Upstream patches:
 - d13f282b4b.patch
Resolves: RHEL-179088

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
This commit is contained in:
RHEL Packaging Agent 2026-06-12 07:59:58 +00:00
parent 776d27c8d1
commit 468226af29
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
memcached-CVE-2026-47783.patch Normal file
View File

@ -0,0 +1,59 @@
From 4df7ac75345b3ea4e0662444621de2ee1959d77c Mon Sep 17 00:00:00 2001
From: Sarthak Munshi <sarthakmunshi@gmail.com>
Date: Sat, 21 Mar 2026 15:20:25 -0700
Subject: [PATCH] Fix timing side-channel in SASL password database
authentication
sasl_server_userdb_checkpass() broke out of the password file loop
early when a valid username was found, creating a measurable timing
difference between valid and invalid usernames. Additionally, the
password comparison used memcmp() which returns early on the first
differing byte, potentially leaking password bytes via timing analysis.
Fix both issues with minimal changes per reviewer feedback:
- Clear buffer to zero before each fgets so comparisons past the
stored password hit known zero bytes
- Use safe_memcmp() for both username and password comparisons
(constant-time, volatile-qualified)
- Remove the early break so the entire file is always scanned
---
sasl_defs.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/sasl_defs.c b/sasl_defs.c
index 370f947..2a46ec3 100644
--- a/sasl_defs.c
+++ b/sasl_defs.c
@@ -71,19 +71,18 @@ static int sasl_server_userdb_checkpass(sasl_conn_t *conn,
char buffer[MAX_ENTRY_LEN];
bool ok = false;
- while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) {
- if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') {
- /* This is the correct user */
- ++unmlen;
- if (memcmp(pass, buffer + unmlen, passlen) == 0 &&
- (buffer[unmlen + passlen] == ':' || /* Additional tokens */
- buffer[unmlen + passlen] == '\n' || /* end of line */
- buffer[unmlen + passlen] == '\r'|| /* dos format? */
- buffer[unmlen + passlen] == '\0')) { /* line truncated */
+ while (1) {
+ memset(buffer, 0, sizeof(buffer));
+ if (fgets(buffer, sizeof(buffer), pwfile) == NULL)
+ break;
+ if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') {
+ if (safe_memcmp(pass, buffer + unmlen + 1, passlen) &&
+ (buffer[unmlen + 1 + passlen] == ':' ||
+ buffer[unmlen + 1 + passlen] == '\n' ||
+ buffer[unmlen + 1 + passlen] == '\r' ||
+ buffer[unmlen + 1 + passlen] == '\0')) {
ok = true;
}
-
- break;
}
}
(void)fclose(pwfile);
--
2.52.0

9
memcached.spec
View File

@ -7,7 +7,7 @@
Name: memcached
Version: 1.5.22
Release: 2%{?dist}
Release: 3%{?dist}
Epoch: 0
Summary: High Performance, Distributed Memory Object Cache
@ -33,6 +33,8 @@ Patch12: memcached-restart-del-items-fail.patch
Patch13: memcached-restart-double-free.patch
Patch14: memcached-issue685.patch
Patch15: memcached-test-cache-dump.patch
# https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed
Patch16: memcached-CVE-2026-47783.patch
BuildRequires: gcc libevent-devel systemd
BuildRequires: perl-generators
@ -139,6 +141,11 @@ exit 0
%{_includedir}/memcached/*
%changelog
* Fri Jun 12 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 0:1.5.22-3
- Fix timing side-channel in SASL password database authentication
- CVE-2026-47783
- Resolves: RHEL-179088
* Thu Jun 04 2020 Tomas Korbar <tkorbar@redhat.com> - 0:1.5.22-2
- Update testing (#1809536)