import UBI memcached-1.6.9-7.el9_8.1

This commit is contained in:
AlmaLinux RelEng Bot 2026-06-22 14:04:29 -04:00
parent ec88c9da10
commit e289009f7b
2 changed files with 70 additions and 2 deletions

View File

@ -0,0 +1,59 @@
From 7bba1ba597db0dfceab4d19afe079999c5a0bd0a Mon Sep 17 00:00:00 2001
From: Sarthak Munshi <sarthakmunshi@gmail.com>
Date: Sat, 21 Mar 2026 15:20:25 -0700
Subject: [PATCH] Fix timing side-channel in SASL password database
authentication
sasl_server_userdb_checkpass() broke out of the password file loop
early when a valid username was found, creating a measurable timing
difference between valid and invalid usernames. Additionally, the
password comparison used memcmp() which returns early on the first
differing byte, potentially leaking password bytes via timing analysis.
Fix both issues with minimal changes per reviewer feedback:
- Clear buffer to zero before each fgets so comparisons past the
stored password hit known zero bytes
- Use safe_memcmp() for both username and password comparisons
(constant-time, volatile-qualified)
- Remove the early break so the entire file is always scanned
---
sasl_defs.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/sasl_defs.c b/sasl_defs.c
index e73a570..98a1f75 100644
--- a/sasl_defs.c
+++ b/sasl_defs.c
@@ -71,19 +71,18 @@ static int sasl_server_userdb_checkpass(sasl_conn_t *conn,
char buffer[MAX_ENTRY_LEN];
bool ok = false;
- while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) {
- if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') {
- /* This is the correct user */
- ++unmlen;
- if (memcmp(pass, buffer + unmlen, passlen) == 0 &&
- (buffer[unmlen + passlen] == ':' || /* Additional tokens */
- buffer[unmlen + passlen] == '\n' || /* end of line */
- buffer[unmlen + passlen] == '\r'|| /* dos format? */
- buffer[unmlen + passlen] == '\0')) { /* line truncated */
+ while (1) {
+ memset(buffer, 0, sizeof(buffer));
+ if (fgets(buffer, sizeof(buffer), pwfile) == NULL)
+ break;
+ if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') {
+ if (safe_memcmp(pass, buffer + unmlen + 1, passlen) &&
+ (buffer[unmlen + 1 + passlen] == ':' ||
+ buffer[unmlen + 1 + passlen] == '\n' ||
+ buffer[unmlen + 1 + passlen] == '\r' ||
+ buffer[unmlen + 1 + passlen] == '\0')) {
ok = true;
}
-
- break;
}
}
(void)fclose(pwfile);
--
2.52.0

View File

@ -12,7 +12,7 @@
Name: memcached
Version: 1.6.9
Release: 7%{?dist}
Release: 7%{?dist}.1
Epoch: 0
Summary: High Performance, Distributed Memory Object Cache
@ -25,6 +25,9 @@ Source2: https://releases.pagure.org/memcached-selinux/memcached-selinux-
Source3: memcached.conf
Patch1: memcached-unit.patch
# https://issues.redhat.com/browse/RHEL-179093
# https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed
Patch2: memcached-1.6.9-CVE-2026-47783.patch
BuildRequires: make
BuildRequires: gcc libevent-devel systemd
@ -71,6 +74,7 @@ optimised for use with this version of memcached.
# and SELinux policy sources into memcached-selinux-X.X
%setup -q -b 2
%patch1 -p1 -b .unit
%patch2 -p1 -b .CVE-2026-47783
%build
%configure \
@ -170,10 +174,15 @@ fi
%files selinux
%attr(0644,root,root) %{_datadir}/selinux/packages/%{selinuxmodulename}.pp.bz2
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{selinuxmodulename}
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{selinuxmodulename}
%license ../%{selinuxmoduledir}/COPYING
%changelog
* Fri Jun 12 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 0:1.6.9-7.1
- Fix timing side-channel in SASL password database authentication
(CVE-2026-47783)
- Resolves: RHEL-179093
* Wed Jun 15 2022 Tomas Korbar <tkorbar@redhat.com> - 0:1.6.9-7
- Use systemd-users
- Resolves: rhbz#2095432