X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mx2.cde.us.jw.org (unknown [50.56.176.215])
	by lists.alpinelinux.org (Postfix) with ESMTP id 048605C44A9
	for <alpine-aports@lists.alpinelinux.org>; Wed, 30 Nov 2016 12:56:37 +0000 (GMT)
Received: from mx2.cde.us.jw.org (localhost [127.0.0.1])
	by mx2.cde.us.jw.org (Postfix) with ESMTP id DDBA7DFB1E
	for <alpine-aports@lists.alpinelinux.org>; Wed, 30 Nov 2016 12:56:36 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cde.us.jw.org; h=to:from
	:subject:message-id:date:mime-version:content-type; s=selector1;
	 bh=4p5XGguUAtuMramq8GU0UUCTXu4=; b=d247wsnnJzHNS9MwZ6xHfzXOkV6m
	sVCQSy7efXUzGUsTI4RkTvgH9Mk+CWaadxT8AeXJ805b1PQN5pPzOjid52Yiyfo6
	9WnLoC3C9ySfZLst6mditC4DHqn+1bMK+Mjq6er0oCWZ1MxX+k/HJsRKvjlUD2MI
	21uI1HtZXFFgHhI=
Received: from [10.252.5.142] (unknown [83.145.235.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: slukins)
	by mx2.cde.us.jw.org (Postfix) with ESMTPSA id 8F849DFB1D
	for <alpine-aports@lists.alpinelinux.org>; Wed, 30 Nov 2016 12:56:36 +0000 (GMT)
To: alpine-aports@lists.alpinelinux.org
From: Sergey Lukin <slukins@cde.us.jw.org>
Subject: [alpine-aports] v3.1 main/memcached: fix 6449, security upgrade
Message-ID: <777e6510-bee4-c8dd-2cc8-c3231cce045e@cde.us.jw.org>
Date: Wed, 30 Nov 2016 14:56:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.0
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="------------909D5F4AE7C665CF1AFA95C0"

This is a multi-part message in MIME format.
--------------909D5F4AE7C665CF1AFA95C0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit



--------------909D5F4AE7C665CF1AFA95C0
Content-Type: text/x-patch;
 name="AL_3.1-memcached-security-upgr-to-1.4.33-fix-6449.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="AL_3.1-memcached-security-upgr-to-1.4.33-fix-6449.patch"

>From a6873cfbfcec7bafae513081865380a269ec816e Mon Sep 17 00:00:00 2001
From: Sergey Lukin <sergej.lukin@gmail.com>
Date: Wed, 30 Nov 2016 12:49:39 +0000
Subject: [PATCH] main/memcached: security upgrade to 1.4.33 - fixes: #6449

---
 main/memcached/APKBUILD            | 16 ++++---------
 main/memcached/CVE-2011-4971.patch | 47 --------------------------------------
 main/memcached/musl-includes.patch | 47 --------------------------------------
 3 files changed, 4 insertions(+), 106 deletions(-)
 delete mode 100644 main/memcached/CVE-2011-4971.patch
 delete mode 100644 main/memcached/musl-includes.patch

diff --git a/main/memcached/APKBUILD b/main/memcached/APKBUILD
index 5ae3157..501088d 100644
--- a/main/memcached/APKBUILD
+++ b/main/memcached/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Jeff Bilyk <jbilyk@alpinelinux.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=memcached
-pkgver=1.4.21
+pkgver=1.4.33
 pkgrel=0
 pkgdesc="Distributed memory object caching system"
 url="http://memcached.org"
@@ -13,8 +13,6 @@ makedepends="$depends_dev"
 install="$pkgname.pre-install"
 subpackages="$pkgname-dev $pkgname-doc"
 source="http://www.memcached.org/files/memcached-$pkgver.tar.gz
-	CVE-2011-4971.patch
-	musl-includes.patch
 	$pkgname.confd
 	$pkgname.initd"
 
@@ -49,18 +47,12 @@ package() {
 		"$pkgdir/etc/conf.d/$pkgname" || return 1
 }
 
-md5sums="28e744a6ad14891443a582e7a8a62cdd  memcached-1.4.21.tar.gz
-e73c5651b37f54020bea00a4318cef2e  CVE-2011-4971.patch
-4b2e8c5e3ad147ed514ad7fcf1b2222a  musl-includes.patch
+md5sums="2d7f6476283cd36e21e521d901d37a8f  memcached-1.4.33.tar.gz
 a7aa37e91d4237448124b79bd99a2649  memcached.confd
 cc344c9aead89042ca2fbf45cd3930a6  memcached.initd"
-sha256sums="301ebe41c686fa5c0a8e39cdf49a32f21fcc9357358792216dfb315d16260e8d  memcached-1.4.21.tar.gz
-0dbb2a8425e051f21a4f767055b82b6294ecf1d22082aeb24f6688bbc9870aed  CVE-2011-4971.patch
-1b1df3a3b70469722a89135b361cf2c2a4b9835d3c9f3029aa73342fd4619cf5  musl-includes.patch
+sha256sums="83726c8d68258c56712373072abb25a449c257398075a39ec0867fd8ba69771d  memcached-1.4.33.tar.gz
 c8f03585eeeb0e0acf4e8bb3c0f7062c2c7da5f89e763cf91a856bec4991a2c7  memcached.confd
 e4b6415c5501963d2ce421aab9d595736091bc895b8f3762e746593f7d736792  memcached.initd"
-sha512sums="b4a0297fbd5435a33ee23c7421f191dd7f9fa34c59223e81c32db2802b698075b8f3bdf7bb85b055cc7aa2a1e5212a26b37453aa0287d0b5c9b99dc4f73f83fa  memcached-1.4.21.tar.gz
-a1f6ece8e3b07509aadbd24c3420cb4400a47c6f046282243a6e295d041ff8f84ff2de86e657cb233199259cca63360e03b173a5abff0d67789eef91847be5eb  CVE-2011-4971.patch
-80c8719c254bc8b8d3d4256e9850c17f5e9ee9a76787b2d0fd7c6bb7780ee132257ff65d8397dc023216b3f541050295c4e1d7e675b12ab6dcc50d07c5e067b3  musl-includes.patch
+sha512sums="00af5a2f46702fb8e606b1035cdaad125445d8eb701927a3ccccd7cd6c12e0811efb3ad917e3118043fd993b5c313f1aa0c4b2a471218e971a21fed7c896e136  memcached-1.4.33.tar.gz
 31bd788433b8021ed332f86d291e7f03222ae234520e52ba673b581d5da2adf5656e8f73e8b985df73258dea9b2a1b8ef36195163fe47a92fda59825deedfed4  memcached.confd
 65782982faaa8966ae0e1335ae367db1c65a94b5e218dfb1245e9d5e3b03ed42234c8023e6f6af13ba06bc6a5f25be5e34b4c84f4fd67805df280c94315c6a23  memcached.initd"
diff --git a/main/memcached/CVE-2011-4971.patch b/main/memcached/CVE-2011-4971.patch
deleted file mode 100644
index fc02be8..0000000
--- a/main/memcached/CVE-2011-4971.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Issue 192: Crash when sending specially crafted packet
-Author: Christos Tsantilas <christos@chtsanti.net>
-
-This is an unsigned to signed integers conversion problem.
-Inside the following functions:
- process_bin_sasl_auth
- process_bin_complete_sasl_auth
- process_bin_update
- process_bin_append_prepend
-
-there is the following or a similar statement:
- int vlen = c->binary_header.request.bodylen - nkey;
-
-The c->binary_header.request.bodylen is an unsigned int which if it is bigger
-than the INT_MAX and converted to a signed int will result to a negative number
-causing segfaults to memcached.
-The c->binary_header.request.bodylen is the request body length defined by
-the client request. Random bytes sent to the memcached may interpeted
-as a normal request with huge body data.
-This patch just add a check and reject requests which report huge body data.
-
-
---- memcached-1.4.15.orig/memcached.c	2012-09-03 21:23:23.000000000 +0300
-+++ memcached-1.4.15/memcached.c	2013-11-26 14:22:28.206370577 +0200
-@@ -3446,6 +3446,22 @@
-                 return -1;
-             }
- 
-+            /*
-+              issue #192:
-+              c->binary_header.request.bodylen is an unsigned int but it is
-+              used in many places as a signed int.  
-+              Add a check here to avoid bad integer type conversions which
-+              may cause crashes to memcached.
-+            */
-+            if (c->binary_header.request.bodylen > INT_MAX) {
-+                if (settings.verbose) {
-+                    fprintf(stderr, "Invalid request body length:  %u\n",
-+                            c->binary_header.request.bodylen);
-+                }
-+                conn_set_state(c, conn_closing);
-+                return -1;
-+            }
-+
-             c->msgcurr = 0;
-             c->msgused = 0;
-             c->iovused = 0;
diff --git a/main/memcached/musl-includes.patch b/main/memcached/musl-includes.patch
deleted file mode 100644
index 558931e..0000000
--- a/main/memcached/musl-includes.patch
+++ /dev/null
@@ -1,47 +0,0 @@
---- memcached-1.4.15.orig/assoc.c
-+++ memcached-1.4.15/assoc.c
-@@ -14,8 +14,8 @@
- #include "memcached.h"
- #include <sys/stat.h>
- #include <sys/socket.h>
--#include <sys/signal.h>
- #include <sys/resource.h>
-+#include <signal.h>
- #include <fcntl.h>
- #include <netinet/in.h>
- #include <errno.h>
---- memcached-1.4.15.orig/items.c
-+++ memcached-1.4.15/items.c
-@@ -2,13 +2,13 @@
- #include "memcached.h"
- #include <sys/stat.h>
- #include <sys/socket.h>
--#include <sys/signal.h>
- #include <sys/resource.h>
- #include <fcntl.h>
- #include <netinet/in.h>
- #include <errno.h>
- #include <stdlib.h>
- #include <stdio.h>
-+#include <signal.h>
- #include <string.h>
- #include <time.h>
- #include <assert.h>
---- memcached-1.4.15.orig/slabs.c
-+++ memcached-1.4.15/slabs.c
-@@ -10,7 +10,6 @@
- #include "memcached.h"
- #include <sys/stat.h>
- #include <sys/socket.h>
--#include <sys/signal.h>
- #include <sys/resource.h>
- #include <fcntl.h>
- #include <netinet/in.h>
-@@ -18,6 +17,7 @@
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
-+#include <signal.h>
- #include <assert.h>
- #include <pthread.h>
- 
-- 
2.2.1



--------------909D5F4AE7C665CF1AFA95C0--


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---