614182 – <dev-db/redis-3.2.7: possible data corruption and server crash

Bug 614182 - <dev-db/redis-3.2.7: possible data corruption and server crash

Summary: <dev-db/redis-3.2.7: possible data corruption and server crash

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2017-03-29 06:09 UTC by Tomáš Mózes
Modified:	2018-04-22 21:40 UTC (History)
CC List:	3 users (show)

See Also:	612766
Package list:	dev-db/redis-3.2.8-r2
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomáš Mózes 2017-03-29 06:09:29 UTC

https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES

   A ziplist bug that could cause data corruption, could crash the server and
   MAY ALSO HAVE SECURITY IMPLICATIONS was fixed. The bug looks complex to
   exploit, but attacks always get worse, never better (cit). The bug is very
   very hard to catch in practice, it required manual analysis of the ziplist
   code in order to be found. However it is also possible that rarely it
   happened in the wild. Upgrading is required if you use LINSERT and other
   in-the-middle list manipulation commands.

Also, seems like we should block jemalloc 4.4.0 (from 3.2.8 changelog):
   Apparently Jemalloc 4.4.0 may contain a deadlock under particular
   conditions. See https://github.com/antirez/redis/issues/3799.
   We reverted back to the previously used Jemalloc versions and plan
   to upgrade Jemalloc again after having more info about the
   cause of the bug.

Comment 1 Yury German Gentoo Infrastructure

2017-03-29 06:31:29 UTC

Maintainers this vulnerability is in Redis 3.2.7 which is not in the tree. Please evaluate if it effects previous versions in tree.

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-04 11:44:36 UTC

@ Maintainer(s): Please advise if you are ready for stabilization or call for
stabilization yourself.

If nothing in a week we will call =dev-db/redis-3.2.8-r2 for stabilization on June 11th.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-17 14:20:53 UTC

@ Arches,

please test and mark stable: =dev-db/redis-3.2.8-r2

Comment 4 Agostino Sarubbo gentoo-dev

2017-06-17 17:25:59 UTC

x86 stable

Comment 5 Agostino Sarubbo gentoo-dev

2017-06-18 14:02:00 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2017-06-21 11:58:14 UTC

ppc stable

Comment 7 Agostino Sarubbo gentoo-dev

2017-06-21 12:17:48 UTC

ppc64 stable

Comment 8 Markus Meier gentoo-dev

2017-06-23 04:37:36 UTC

arm stable

Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-16 15:07:10 UTC

Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR

Comment 10 Mart Raudsepp gentoo-dev

2018-03-04 11:27:29 UTC

newer revision arm64 stable from bug 631002 (despite test failure)

Comment 11 Matt Turner gentoo-dev

2018-04-22 21:23:14 UTC

hppa stable

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2018-04-22 21:40:37 UTC

GLSA Vote: No

Cleanup will happen in 631002