From patchwork Wed Oct 15 03:42:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72355 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C424CCD184 for ; Wed, 15 Oct 2025 03:42:59 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web10.7455.1760499777048065166 for ; Tue, 14 Oct 2025 20:42:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LhNVSL0d; spf=pass (domain: gmail.com, ip: 209.85.214.179, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-27eed7bdfeeso6580975ad.0 for ; Tue, 14 Oct 2025 20:42:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760499776; x=1761104576; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=nN+a3wQHORmpQR3v8gN9x35jyareUg7SNVnorq79NLI=; b=LhNVSL0ds54ewsPTjUhC1x+W2CmYoRipg152ORIu/et8q52h85nSvpvJYA0mL+kFdN 4wYW54dpcnqFUSbmM2Pr8ZW+oOueRWCBzH+0PAro32jFv9ILNyV2cKHeyOX6Uhui44YH o+y0i8b/9sqMAN3Dx9WwoRCG+uwUGJ6XPl2u6hdbQqXOQMwN/f+psUOw1BcB+LeWaADh jGp4dJe/wvT705hJ/1A8MFPiG93G1yS6nRB0QiHGU2DC/ybG0/q68pnRNxT5TuIqR6Yt 4ICEfD+xOtnbEFcJYNWjkrbgwZ5X8cQirOPaqIyoslzG572SVm+H0DkTrf7qI2ar6Trq PYlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760499776; x=1761104576; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nN+a3wQHORmpQR3v8gN9x35jyareUg7SNVnorq79NLI=; b=Pr+TqeHsAlwOo01eEwkRPbqCpvADmbH6NOuRaDIG/e5/S4rtOZLQk1JS9ILStUJAz9 xUlumaDgCp3+dN/rCwlDmkpZL+uuirUimqUVCFYrNGrI/+8Zraw6mY6/SSxRW9tEdhaT L2dK7lIV4KEwVYrx7fDa0ThI2fUluUx4wJ2TPmeRXDSwmkYchBVjm/aQRKdHrVNx+Opx B0k0n5pCb2LjbktHUQ5YlPv4O8hJt+F57szZq1Q2GkNfeuugDeEeeG+p7r0cmkelEcFr 0vfvHPmHesrksLLzU7FTneTNgtSF1R55f6I2nS/IjTggss/bw55euA9Rq7YpAcp+Mz2D WO+Q== X-Gm-Message-State: AOJu0YwZHki5Go6Inh2euAH23HMiJ4Eo167nljuPL4mATUYFzDySez7B TizP9YW5n6+mFQiUdn9+v1UPchAcm4GxHJa3pNZoLKUwhs2CWxYn/YI2v1C4qA== X-Gm-Gg: ASbGncsI3C7hEXa34tZM6E4RL2Q72uFLbIEctXF2nhQNf9fvOtKQg6BqRZzYVBWpEIN ce2MRnZ+eAArDXSkc3Fkba08/4YxXjNCJ367Qs0CEI8lY/+Wf5QbZUgxdR4e1E//KvGvp9McXR7 V8V5no0uVQkqMU+SSvNaYBQqvJL7k9VnMKdQTqrc7f0bcihNSUB9Dwi1FWz+IbUdQPCPRh5YsEu RgxEVUO9iUN81ykbD5+GuLVhOm9ThG1FP3SawvM2672btCu9QjjXYEzCtW2KJdZIotK31ASQSsL PUobtGpIq+Nb5+pqSFfHkjFj9xPN7B2zCdTXq6P2bzf12ILXw/828HYeWQbWdgezdGFY5hAKrnS FTvRya8yValbe7xJdbjfagTMmVWNGs7yILruP5iuYLKqihSkRBtuoFC0= X-Google-Smtp-Source: AGHT+IFQXpveJYkHqiMv/ubUakBGfN51jUPlaC73tzyr1+Z3txUTZZpxMmXlkSNSNlqM1o7RjCFT6A== X-Received: by 2002:a17:903:388d:b0:27e:f03e:c6b7 with SMTP id d9443c01a7336-28ec9c27a45mr353450085ad.10.1760499776213; Tue, 14 Oct 2025 20:42:56 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b6a096870a3sm888627a12.33.2025.10.14.20.42.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 20:42:55 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Peter Marko , Khem Raj , Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 1/4] libmemcached: ignore CVE-2023-27478 Date: Wed, 15 Oct 2025 16:42:41 +1300 Message-ID: <20251015034244.1445689-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Oct 2025 03:42:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120679 From: Peter Marko Per [1] this is fixed by [2]. The commit message says that it is reverting feature added in: $ git tag --no-contains d7a0084 | grep 1.0.18 1.0.18 $ git tag --no-contains d7a0084 | grep 1.0.7 1.0.7 This recipe is for the original memcached which is unmaintained now. Hence the ignore instead of upgrade. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-27478 [2] https://github.com/awesomized/libmemcached/commit/48dcc61a Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit 607a44649189a29e6f547ce89b41ba332a45946a) Signed-off-by: Ankur Tyagi --- .../recipes-support/libmemcached/libmemcached_1.0.18.bb | 2 ++ .../recipes-support/libmemcached/libmemcached_1.0.7.bb | 2 ++ 2 files changed, 4 insertions(+) diff --git a/meta-networking/recipes-support/libmemcached/libmemcached_1.0.18.bb b/meta-networking/recipes-support/libmemcached/libmemcached_1.0.18.bb index 56778c0483..e4646d79ef 100644 --- a/meta-networking/recipes-support/libmemcached/libmemcached_1.0.18.bb +++ b/meta-networking/recipes-support/libmemcached/libmemcached_1.0.18.bb @@ -8,3 +8,5 @@ SRC_URI += "\ " SRC_URI[md5sum] = "b3958716b4e53ddc5992e6c49d97e819" SRC_URI[sha256sum] = "e22c0bb032fde08f53de9ffbc5a128233041d9f33b5de022c0978a2149885f82" + +CVE_STATUS[CVE-2023-27478] = "fixed-version: this problem was not yet introduced in 1.0.18" diff --git a/meta-networking/recipes-support/libmemcached/libmemcached_1.0.7.bb b/meta-networking/recipes-support/libmemcached/libmemcached_1.0.7.bb index cdf8415ff7..156e4cd38d 100644 --- a/meta-networking/recipes-support/libmemcached/libmemcached_1.0.7.bb +++ b/meta-networking/recipes-support/libmemcached/libmemcached_1.0.7.bb @@ -2,3 +2,5 @@ require libmemcached.inc SRC_URI[md5sum] = "d59a462a92d296f76bff2d9bc72b2516" SRC_URI[sha256sum] = "3efa86c9733eaad55d7119cb16769424e2aa6c22b3392e8f973946fce6678d81" + +CVE_STATUS[CVE-2023-27478] = "fixed-version: this problem was not yet introduced in 1.0.7" From patchwork Wed Oct 15 03:42:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72356 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83043CCD18E for ; Wed, 15 Oct 2025 03:43:09 +0000 (UTC) Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by mx.groups.io with SMTP id smtpd.web11.7492.1760499780144917553 for ; Tue, 14 Oct 2025 20:43:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=O2oxzB24; spf=pass (domain: gmail.com, ip: 209.85.216.47, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-3305c08d9f6so447687a91.1 for ; Tue, 14 Oct 2025 20:43:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760499779; x=1761104579; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0GnxRdp03qBg1y4dPH+C+m7Y5QHYygzDnFMruz3/Wpw=; b=O2oxzB24zXABPmZUnw6UncpA1uQe1AAMk+StcDmhZIhweRr6wKWiB8ja5mGUx0DnoV PA5hnxUfBZHV2+nBB36Frqw7Gu/xD6SzfOZugEpdlFofUlKOvAe8wa5zLvpw0nv9jBk2 bjbVF4xcwAe7faJlVDDo740QIr6o3b5NbaER9WBpCN4xiuTDKa3W9gIsCkEAFYJZdAlZ JB39BmCOAsAG0GRCACekaTJeAqdXswRiJcKKl+bAXdgCE0DaQbuQNufhm5jASSLZwS/a 6B3UvyUJWRti9vBPeusnpjvvM1SV21Om3NZavULOH2KUJUmXzooNCF6NWPYPP01Fdki0 Xz3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760499779; x=1761104579; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0GnxRdp03qBg1y4dPH+C+m7Y5QHYygzDnFMruz3/Wpw=; b=lgw/NNMgJ5TQlmw1dHzFp5+gZPHbimlVhU+xsfoVvMmr5M3f3EvfY//WBRbNkRMfm/ cRx4FXjxU+zNxs01a4LjtxhNoaYEgLt/5f+k2WCxpO/f+rctC6r2lgyRE9R6UZGVg42f MaX7ftoBoe8wUDGt2Qhmnqy0M+Jr/h4EI4/T8b3GdNjmXLpGkk6BHej4p/5Lf/T17Edp epqffpBB7usQEqa07JwnmtziFQpvnfvO4kTt9TMbdYhRe0xRo4jZE2JOb6WJlKV6iDOM J9RczgmjZta6Tdp3FWYcNtQ21FsYRRtph5J86lHBJZFNx+zmPJ6pmy4vnPj6M+5mpvqU m3PA== X-Gm-Message-State: AOJu0Ywppjx44IJK9Xe1zoCuIKlTZLyZ+DeyKAjyYA7LeI1qNCWx40an 5oM8dDH0b+7v2Sg25PWcN5Iz1DAoY9v0kZSBKSktkWIHJp/tB5LDN7Tc9Fhp8g== X-Gm-Gg: ASbGncsmmmmM4pnXfA3zYP/9gPSy0wBBzUf320HEDA0T3VCXbTX7j5qHph5fzRxmQcR 073IPTaaO+yTsb0IUTx8qNQh0E3HTeEZr/rmaKFMEOs8X/soOaVBEhaUUDX+noSa747OlSjLgZI uffd/T8baS/ekuVNwok926H0y/Fuy26uixH0rI/9s/wT0Uu2i9epb+Nm+YM44P7phwuEgtpLdhB n/IaxC8dAHIMUchuVyDaxlQt1Q8wIogyNIMtmZBMKGFPC/9WD2BiQ95j7a/J6YMGMETY41MiDN5 kx7vqkXoH4g1au+7i2lZLi6cxyuOelCFxe7v6YLho2ek//6qtIHc0Phj8HT5U2XI9e/CTAxDRmT pcqGIqy340lj4qPONA7JHw2peJxkq+JYAtMKQxH0whDTXAUrukoXEVmbHBtJNfN2+aQ== X-Google-Smtp-Source: AGHT+IF/d5F+BurJgiPOHamlC8x9hkSEfkxXiNUuPf4gaVf2e4NkEac99FCr6j53NnsIIEJPjaXztw== X-Received: by 2002:a17:90b:4984:b0:32b:94a2:b0c4 with SMTP id 98e67ed59e1d1-339edac69f1mr41535568a91.16.1760499779212; Tue, 14 Oct 2025 20:42:59 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b6a096870a3sm888627a12.33.2025.10.14.20.42.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 20:42:58 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Peter Marko , Khem Raj , Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 2/4] memcached: ignore disputed CVE-2022-26635 Date: Wed, 15 Oct 2025 16:42:42 +1300 Message-ID: <20251015034244.1445689-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251015034244.1445689-1-ankur.tyagi85@gmail.com> References: <20251015034244.1445689-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Oct 2025 03:43:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120680 From: Peter Marko Per [1] this is a problem of applications using memcached inproperly. This should not be a CVE against php-memcached, but for whatever software the issue was actually found in. php-memcached and libmemcached provide a VERIFY_KEY flag if they're too lazy to filter untrusted user input. [1] https://github.com/php-memcached-dev/php-memcached/issues/519 Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit 889ccce6848276fa68b3736b345552a533bc6bd2) Signed-off-by: Ankur Tyagi --- meta-networking/recipes-support/memcached/memcached_1.6.17.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb index 270ad5486d..7234f02a13 100644 --- a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb +++ b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb @@ -25,6 +25,8 @@ SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \ " SRC_URI[sha256sum] = "2055e373613d8fc21529aff9f0adce3e23b9ce01ba0478d30e7941d9f2bd1224" +CVE_STATUS[CVE-2022-26635] = "disputed: this is a problem of applications using php-memcached inproperly" + # set the same COMPATIBLE_HOST as libhugetlbfs COMPATIBLE_HOST = "(i.86|x86_64|powerpc|powerpc64|aarch64|arm).*-linux*" From patchwork Wed Oct 15 03:42:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72357 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84951CCD192 for ; Wed, 15 Oct 2025 03:43:09 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web11.7493.1760499782633876786 for ; Tue, 14 Oct 2025 20:43:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=e31NFz6b; spf=pass (domain: gmail.com, ip: 209.85.210.179, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-789fb76b466so5588731b3a.0 for ; Tue, 14 Oct 2025 20:43:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760499782; x=1761104582; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CVJElxumdMekaskMVY6vufY4iUEAXSJOc5pQM+kLHfI=; b=e31NFz6bS2tcubUPHICjzZsgAEV2NjJI88LxlcASRfe+HPyAD0jflEXGMq7HuR4JW8 6EIlS/hppjRl+YriRFK2zF86emVQ2HJP8eoX4jOOk4NTv9A2HxF2klSHi423mAOcmODD ojup6RfAho0v/BbLqsBGWJLC5bQknX3FkzPSxossQ7AmI+WDPoHg6az6j5cxRNUqNOU8 19kg/wzO253QDhfjEcPSfKpL9xRvFgIi2w+omx/YujN4veMPbmEQksWgWU8v7+Buoawi eidS/TyTpFSiqfd1XJi/DtIX4KtAwEecIeXUt9dGxkXQ9HljuRxjsLEHjm+BSrAGLPnR g2FA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760499782; x=1761104582; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CVJElxumdMekaskMVY6vufY4iUEAXSJOc5pQM+kLHfI=; b=rebh4Pscfrj2koOevUu5kO1K94SiM3I8FJhic0vzP1VT9qarIoVjJum+PZIkPOXwiL OE7nDDF3wkDv2nZ7nTuGwdCSGQqiQAZD3nb2VCgiM5sG3VlpHis5PQZIrQDHhkEu9Rqb 6+e4J4gkczgHTDdNFpb7HIcXAwdmV5aR4nKZxrSG3R3LNMDMJSvw+B49ShXzGTya5oBh sDqaZ2snhtgUhPoaUfJ5Ub6VB4+H+AyblH7m6mDDtnNEkyF1ucADJ5vj5pMsgUOrmNVk FmSVjkWlmuz/TFUEC4Eh7+KOlpcyJ4ILsVb+NzEUxq+pwV3GwgoH6U3hIWabU8zGJD/y K10A== X-Gm-Message-State: AOJu0YzWcgVpt1MY/Z1VcIJTQmjqtkjLsUYjUKGpq1JsQA73PuGfk+IK +Btj8w9vLW6tVvo5TWIo3uKtdu5DmOwfvjlKz1PzVuRr8/Yf/AoN2ko1pfRrOQ== X-Gm-Gg: ASbGncu2HR2/yN2tqV9TaFWgmG/1LWVlhuBFN2oy8L422KOQBnVcPERHRcl5BN2nD4O 0uDyCMVCpEwW7SvwySyhorw797A1rOjAQi4w56feLeNrZmTTemcOsU4UZ4Om5iqgx2kvRRb0nZL 57qzhdHWSIpeoGUfBUCL2/YST12IVceB0i+TJF8M/Ht+S4FHURVX/DBr9khmmnrFhs6TitpLg9Y vmEo3OOk3Xau5qSFF2MXrpKn7lrKwcHst4x/S3798bnL90yoiZw39qacWO0xjvQ8h4WgqFAovNs aZRiTOu2EYkiMbs64jPzpgerUnOPGEcLX8fSNdFSTLYf485IHc6CLrPxu9sswVhbcNBwWlD9xlI A3OSpRY0j0tK8uwsIb1Dj91jJrPOmmM0DwQU1x31B9neDcJvALoT+2d8= X-Google-Smtp-Source: AGHT+IGc6HCF8VpWAaOCIiu1SD2uI+CEEeWh58GpXUIT5uT/s7BMYnM9KKDELAoieHZHiWKQZLnlGg== X-Received: by 2002:a05:6a21:3299:b0:306:51fd:5542 with SMTP id adf61e73a8af0-32da8461d0emr32942362637.44.1760499781730; Tue, 14 Oct 2025 20:43:01 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b6a096870a3sm888627a12.33.2025.10.14.20.42.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 20:43:01 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 3/4] memcached: patch CVE-2023-46852 Date: Wed, 15 Oct 2025 16:42:43 +1300 Message-ID: <20251015034244.1445689-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251015034244.1445689-1-ankur.tyagi85@gmail.com> References: <20251015034244.1445689-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Oct 2025 03:43:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120681 Details https://nvd.nist.gov/vuln/detail/CVE-2023-46852 Signed-off-by: Ankur Tyagi --- .../memcached/memcached/CVE-2023-46852.patch | 71 +++++++++++++++++++ .../memcached/memcached_1.6.17.bb | 1 + 2 files changed, 72 insertions(+) create mode 100644 meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch diff --git a/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch new file mode 100644 index 0000000000..2bb34af97a --- /dev/null +++ b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch @@ -0,0 +1,71 @@ +From 44d8cfad2500881447cbfe2089bfd80b85ffcd7e Mon Sep 17 00:00:00 2001 +From: dormando +Date: Fri, 28 Jul 2023 10:32:16 -0700 +Subject: [PATCH] CVE-2023-46852 + +proxy: fix buffer overflow with multiget syntax + +"get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to +process multiget syntax. + +To exploit this you must first pass the check in try_read_command_proxy: +- The request before the first newline must be less than 1024 bytes. +- If it is more than 1024 bytes there is a limit of 100 spaces. +- The key length is still checked at 250 bytes +- Meaning you have up to 772 spaces and then the key to create stack + corruption. + +So the amount of data you can shove in here isn't unlimited. + +The fix caps the amount of data pre-key to be reasonable. Something like +GAT needs space for a 32bit TTL which is at most going to be 15 bytes + +spaces, so we limit it to 20 bytes. + +I hate hate hate hate hate the multiget syntax. hate it. + +CVE: CVE-2023-46852 +Upstream-Status: Backport [https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767] +(cherry picked from commit 76a6c363c18cfe7b6a1524ae64202ac9db330767) +Signed-off-by: Ankur Tyagi +--- + proto_proxy.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/proto_proxy.c b/proto_proxy.c +index 3ee8c07..9bef26d 100644 +--- a/proto_proxy.c ++++ b/proto_proxy.c +@@ -616,6 +616,12 @@ int proxy_run_coroutine(lua_State *Lc, mc_resp *resp, io_pending_proxy_t *p, con + return 0; + } + ++// basically any data before the first key. ++// max is like 15ish plus spaces. we can be more strict about how many spaces ++// to expect because any client spamming space is being deliberately stupid ++// anyway. ++#define MAX_CMD_PREFIX 20 ++ + static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool multiget) { + assert(c != NULL); + LIBEVENT_THREAD *thr = c->thread; +@@ -687,12 +693,18 @@ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool mu + if (!multiget && pr.cmd_type == CMD_TYPE_GET && pr.has_space) { + uint32_t keyoff = pr.tokens[pr.keytoken]; + while (pr.klen != 0) { +- char temp[KEY_MAX_LENGTH + 30]; ++ char temp[KEY_MAX_LENGTH + MAX_CMD_PREFIX + 30]; + char *cur = temp; + // Core daemon can abort the entire command if one key is bad, but + // we cannot from the proxy. Instead we have to inject errors into + // the stream. This should, thankfully, be rare at least. +- if (pr.klen > KEY_MAX_LENGTH) { ++ if (pr.tokens[pr.keytoken] > MAX_CMD_PREFIX) { ++ if (!resp_start(c)) { ++ conn_set_state(c, conn_closing); ++ return; ++ } ++ proxy_out_errstring(c->resp, PROXY_CLIENT_ERROR, "malformed request"); ++ } else if (pr.klen > KEY_MAX_LENGTH) { + if (!resp_start(c)) { + conn_set_state(c, conn_closing); + return; diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb index 7234f02a13..b4c1847bf6 100644 --- a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb +++ b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb @@ -22,6 +22,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \ SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \ file://memcached-add-hugetlbfs-check.patch \ file://0001-Fix-function-protypes.patch \ + file://CVE-2023-46852.patch \ " SRC_URI[sha256sum] = "2055e373613d8fc21529aff9f0adce3e23b9ce01ba0478d30e7941d9f2bd1224" From patchwork Wed Oct 15 03:42:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72358 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87B6ACCD184 for ; Wed, 15 Oct 2025 03:43:09 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.7495.1760499784808644489 for ; Tue, 14 Oct 2025 20:43:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OyGN716D; spf=pass (domain: gmail.com, ip: 209.85.214.178, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-26a0a694ea8so44399955ad.3 for ; Tue, 14 Oct 2025 20:43:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760499784; x=1761104584; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kEw3EOfBGKeI7lqiSXyx7HBho1wYVOHXpDoE3Qv8SAY=; b=OyGN716DxJ2e6oAI2F+oHcDvFsKHZY5mHubHo2dkO3WxPA9BfUrzZMmsOCD9O9X/1S 1dqJdlY/IdYRgrY8ZW0ItppnxgoRPgEH/85RQO6svUsdbL15PHYwNRiH7ufX3gdxzzpc OoOU48dftb/atW0qOJBZ9TV/FzV5vLRVmUkxT7JEYIAPElI5D08vDJ0BF91IY3q2BOvh MxVyPgUP5sA4/GLmQ/aBtajGKy+Ci9HOt5jvudf8FrVt2DPOHMUSb6vtEqdlmZHBg1Bi j0ZGncz46ox9udbHao5dzJ1VtfRw+6o3i1KkEbZZReZ3yZB+TzozaQezh43ijAwGKrO8 lQ0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760499784; x=1761104584; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kEw3EOfBGKeI7lqiSXyx7HBho1wYVOHXpDoE3Qv8SAY=; b=P98/d/8XjBffDP7BTz0GVzeZklAKr0QyzgvYV3ryOOlk/HQk0ngvtdacQJyVrk1m1n YhVsrf9M9+0376Zbz7Pk1k/NRq7Kn+xQMmupzVdPgCzhmUOnisuNY0v9NFpLiKrbOvHR wM9GO1v7/+pgUMYip5dH2I5I7jtr8AwBv0lFni1hfO2As/LUyGKtWnDpnOs250CAs0E/ FOIRZ8WhQ7bGk64Mb0PhbnUr9b9sfFGC1cWVg5E27/cwMZT47vNWVmF2dVRy5vVGc2QE /AIWPnQYrW2IGgA921CK939TI3vgCuIV67YjHX2OMx/g49OB+6B+2wNwE82UYJ83wGkE Cf8A== X-Gm-Message-State: AOJu0Yx5S2BlWlUKDpx2cPVb85czDYV2jimhdtESkV41HfjVtWHdazNq COjcnh4NhXLP7TqUw5GIeh9TH3kTEsv3/t4XwyqdZ7XMri9uhid/sglCMJIegw== X-Gm-Gg: ASbGncv/R+a+mOw4nvl2b1+vqNOqP3s247CyXqZbrLoCEonHB1n8X7SxH6Fv0Vz0fa0 bodLeOa5HBcGj+MKC4Zit7eqmBsii2G05sJoWLBBZFRkuBGd6bad84YaBXoWXKHeNuE+f1q5Bx4 MZGlpOOjJZAIHrKl1fWFBO7mgxBuC/miguIRWVa9w3zsMA4f/NFoumlH3tl6GEr+Xb2eIbIVCln HG7YtPT4YdjHg+exHWLNCQ3qozbQr/6UUN0hh8a3x7MoDb8b6Bai1I1sHWR/37OC6XPyFAM9CFJ 1s/JAThx9aHS8TmD3ulEandVFToue7gBYAKVy5/cYoHG9VrfQkQM6cP/+vZVJjCYBB2qCNFs/G7 UuMEWM/aF1qkkLbGc+KopXVYW2oTOpirCInXqu3qblxYxlywjSqaxb1k= X-Google-Smtp-Source: AGHT+IHT3bTXq2HwIr9+T7b/tzA6CrXpzvxl2MJyATWurE9vO8GN+HALsngXMyBTmgVXvfDm3cmj8A== X-Received: by 2002:a17:903:1510:b0:27e:ec72:f62 with SMTP id d9443c01a7336-2902728b8a2mr338622845ad.6.1760499783944; Tue, 14 Oct 2025 20:43:03 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b6a096870a3sm888627a12.33.2025.10.14.20.43.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 20:43:03 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 4/4] memcached: patch CVE-2023-46853 Date: Wed, 15 Oct 2025 16:42:44 +1300 Message-ID: <20251015034244.1445689-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251015034244.1445689-1-ankur.tyagi85@gmail.com> References: <20251015034244.1445689-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Oct 2025 03:43:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120682 Details https://nvd.nist.gov/vuln/detail/CVE-2023-46853 Signed-off-by: Ankur Tyagi --- .../memcached/memcached/CVE-2023-46853.patch | 117 ++++++++++++++++++ .../memcached/memcached_1.6.17.bb | 1 + 2 files changed, 118 insertions(+) create mode 100644 meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch diff --git a/meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch new file mode 100644 index 0000000000..cf8aaf467b --- /dev/null +++ b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch @@ -0,0 +1,117 @@ +From 51c1f144d57379bd77f5b04c462171d26ebc5514 Mon Sep 17 00:00:00 2001 +From: dormando +Date: Wed, 2 Aug 2023 15:45:56 -0700 +Subject: [PATCH] CVE-2023-46853 + +proxy: fix off-by-one if \r is missing + +A bunch of the parser assumed we only had \r\n, but I didn't actually +have that strictness set. Some commands worked and some broke in subtle +ways when just "\n" was being submitted. + +I'm not 100% confident in this change yet so I'm opening a PR to stage +it while I run some more thorough tests. + +CVE: CVE-2023-46853 +Upstream-Status: Backport [https://github.com/memcached/memcached/commit/6987918e9a3094ec4fc8976f01f769f624d790fa] +(cherry picked from commit 6987918e9a3094ec4fc8976f01f769f624d790fa) +Signed-off-by: Ankur Tyagi +--- + proxy.h | 1 + + proxy_request.c | 22 ++++++++++++++++------ + t/proxy.t | 5 +++-- + 3 files changed, 20 insertions(+), 8 deletions(-) + +diff --git a/proxy.h b/proxy.h +index 015c093..29e5175 100644 +--- a/proxy.h ++++ b/proxy.h +@@ -271,6 +271,7 @@ struct mcp_parser_s { + uint8_t keytoken; // because GAT. sigh. also cmds without a key. + uint32_t parsed; // how far into the request we parsed already + uint32_t reqlen; // full length of request buffer. ++ uint32_t endlen; // index to the start of \r\n or \n + int vlen; + uint32_t klen; // length of key. + uint16_t tokens[PARSER_MAX_TOKENS]; // offsets for start of each token +diff --git a/proxy_request.c b/proxy_request.c +index 457e9a1..6351d02 100644 +--- a/proxy_request.c ++++ b/proxy_request.c +@@ -9,7 +9,7 @@ + // where we later scan or directly feed data into API's. + static int _process_tokenize(mcp_parser_t *pr, const size_t max) { + const char *s = pr->request; +- int len = pr->reqlen - 2; ++ int len = pr->endlen; + + // since multigets can be huge, we can't purely judge reqlen against this + // limit, but we also can't index past it since the tokens are shorts. +@@ -93,7 +93,7 @@ static int _process_request_key(mcp_parser_t *pr) { + // Returns the offset for the next key. + size_t _process_request_next_key(mcp_parser_t *pr) { + const char *cur = pr->request + pr->parsed; +- int remain = pr->reqlen - pr->parsed - 2; ++ int remain = pr->endlen - pr->parsed; + + // chew off any leading whitespace. + while (remain) { +@@ -126,7 +126,7 @@ static int _process_request_metaflags(mcp_parser_t *pr, int token) { + return 0; + } + const char *cur = pr->request + pr->tokens[token]; +- const char *end = pr->request + pr->reqlen - 2; ++ const char *end = pr->request + pr->endlen; + + // We blindly convert flags into bits, since the range of possible + // flags is deliberately < 64. +@@ -290,15 +290,25 @@ int process_request(mcp_parser_t *pr, const char *command, size_t cmdlen) { + return -1; + } + +- const char *s = memchr(command, ' ', cmdlen-2); ++ // Commands can end with bare '\n's. Depressingly I intended to be strict ++ // with a \r\n requirement but never did this and need backcompat. ++ // In this case we _know_ \n is at cmdlen because we can't enter this ++ // function otherwise. ++ if (cm[cmdlen-2] == '\r') { ++ pr->endlen = cmdlen - 2; ++ } else { ++ pr->endlen = cmdlen - 1; ++ } ++ ++ const char *s = memchr(command, ' ', pr->endlen); + if (s != NULL) { + cl = s - command; + } else { +- cl = cmdlen - 2; ++ cl = pr->endlen; + } + pr->keytoken = 0; + pr->has_space = false; +- pr->parsed = cl + 1; ++ pr->parsed = cl; + pr->request = command; + pr->reqlen = cmdlen; + int token_max = PARSER_MAX_TOKENS; +diff --git a/t/proxy.t b/t/proxy.t +index 37caa27..af6213a 100644 +--- a/t/proxy.t ++++ b/t/proxy.t +@@ -151,13 +151,14 @@ my $p_sock = $p_srv->sock; + # NOTE: memcached always allowed [\r]\n for single command lines, but payloads + # (set/etc) require exactly \r\n as termination. + # doc/protocol.txt has always specified \r\n for command/response. +-# Proxy is more strict than normal server in this case. ++# Note a bug lead me to believe that the proxy was more strict, we accept any ++# \n or \r\n terminated commands. + { + my $s = $srv[0]->sock; + print $s "version\n"; + like(<$s>, qr/VERSION/, "direct server version cmd with just newline"); + print $p_sock "version\n"; +- like(<$p_sock>, qr/SERVER_ERROR/, "proxy version cmd with just newline"); ++ like(<$p_sock>, qr/VERSION/, "proxy version cmd with just newline"); + print $p_sock "version\r\n"; + like(<$p_sock>, qr/VERSION/, "proxy version cmd with full CRLF"); + } diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb index b4c1847bf6..bfa1450368 100644 --- a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb +++ b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb @@ -23,6 +23,7 @@ SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \ file://memcached-add-hugetlbfs-check.patch \ file://0001-Fix-function-protypes.patch \ file://CVE-2023-46852.patch \ + file://CVE-2023-46853.patch \ " SRC_URI[sha256sum] = "2055e373613d8fc21529aff9f0adce3e23b9ce01ba0478d30e7941d9f2bd1224"