diff --git a/memcached-CVE-2026-47783.patch b/memcached-CVE-2026-47783.patch new file mode 100644 index 0000000..c5229d8 --- /dev/null +++ b/memcached-CVE-2026-47783.patch @@ -0,0 +1,59 @@ +From 4df7ac75345b3ea4e0662444621de2ee1959d77c Mon Sep 17 00:00:00 2001 +From: Sarthak Munshi +Date: Sat, 21 Mar 2026 15:20:25 -0700 +Subject: [PATCH] Fix timing side-channel in SASL password database + authentication + +sasl_server_userdb_checkpass() broke out of the password file loop +early when a valid username was found, creating a measurable timing +difference between valid and invalid usernames. Additionally, the +password comparison used memcmp() which returns early on the first +differing byte, potentially leaking password bytes via timing analysis. + +Fix both issues with minimal changes per reviewer feedback: +- Clear buffer to zero before each fgets so comparisons past the + stored password hit known zero bytes +- Use safe_memcmp() for both username and password comparisons + (constant-time, volatile-qualified) +- Remove the early break so the entire file is always scanned +--- + sasl_defs.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/sasl_defs.c b/sasl_defs.c +index 370f947..2a46ec3 100644 +--- a/sasl_defs.c ++++ b/sasl_defs.c +@@ -71,19 +71,18 @@ static int sasl_server_userdb_checkpass(sasl_conn_t *conn, + char buffer[MAX_ENTRY_LEN]; + bool ok = false; + +- while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) { +- if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') { +- /* This is the correct user */ +- ++unmlen; +- if (memcmp(pass, buffer + unmlen, passlen) == 0 && +- (buffer[unmlen + passlen] == ':' || /* Additional tokens */ +- buffer[unmlen + passlen] == '\n' || /* end of line */ +- buffer[unmlen + passlen] == '\r'|| /* dos format? */ +- buffer[unmlen + passlen] == '\0')) { /* line truncated */ ++ while (1) { ++ memset(buffer, 0, sizeof(buffer)); ++ if (fgets(buffer, sizeof(buffer), pwfile) == NULL) ++ break; ++ if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') { ++ if (safe_memcmp(pass, buffer + unmlen + 1, passlen) && ++ (buffer[unmlen + 1 + passlen] == ':' || ++ buffer[unmlen + 1 + passlen] == '\n' || ++ buffer[unmlen + 1 + passlen] == '\r' || ++ buffer[unmlen + 1 + passlen] == '\0')) { + ok = true; + } +- +- break; + } + } + (void)fclose(pwfile); +-- +2.52.0 + diff --git a/memcached.spec b/memcached.spec index 6a6d1e1..1b77a97 100644 --- a/memcached.spec +++ b/memcached.spec @@ -7,7 +7,7 @@ Name: memcached Version: 1.5.22 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 0 Summary: High Performance, Distributed Memory Object Cache @@ -33,6 +33,8 @@ Patch12: memcached-restart-del-items-fail.patch Patch13: memcached-restart-double-free.patch Patch14: memcached-issue685.patch Patch15: memcached-test-cache-dump.patch +# https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed +Patch16: memcached-CVE-2026-47783.patch BuildRequires: gcc libevent-devel systemd BuildRequires: perl-generators @@ -139,6 +141,11 @@ exit 0 %{_includedir}/memcached/* %changelog +* Fri Jun 12 2026 RHEL Packaging Agent - 0:1.5.22-3 +- Fix timing side-channel in SASL password database authentication +- CVE-2026-47783 +- Resolves: RHEL-179088 + * Thu Jun 04 2020 Tomas Korbar - 0:1.5.22-2 - Update testing (#1809536)