793719 – (CVE-2021-32625) <dev-db/redis-{6.0.14, 6.2.4}: Buffer overflow in STRALGO LCS command (CVE-2021-32625)

Bug 793719 (CVE-2021-32625) - <dev-db/redis-{6.0.14, 6.2.4}: Buffer overflow in STRALGO LCS command (CVE-2021-32625)

Summary: <dev-db/redis-{6.0.14, 6.2.4}: Buffer overflow in STRALGO LCS command (CVE-20...

Status:	RESOLVED FIXED

Alias:	CVE-2021-32625

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [stable]
Keywords:	CC-ARCHES

Depends on:
Blocks:

Reported:	2021-06-01 14:11 UTC by Sam James
Modified:	2021-06-07 07:13 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	dev-db/redis-6.0.14
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-06-01 14:11:14 UTC

Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. MODERATE otherwise.

Fix integer overflow in STRALGO LCS (CVE-2021-32625)
An integer overflow bug in Redis version 6.0 or newer can be exploited using the
STRALGO LCS command to corrupt the heap and potentially result with remote code
execution. This is a result of an incomplete fix by CVE-2021-29477.

Comment 1 Larry the Git Cow gentoo-dev

2021-06-01 15:18:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a300cf170fb7ffa7dce510fedfea2e22e93cdca8

commit a300cf170fb7ffa7dce510fedfea2e22e93cdca8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-01 14:35:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-01 15:18:37 +0000

    dev-db/redis: add 6.2.4
    
    Bug: https://bugs.gentoo.org/793719
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest           |   1 +
 dev-db/redis/redis-6.2.4.ebuild | 187 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 188 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5783e19f210558382f8fdb2825d2c49ebcd726d

commit b5783e19f210558382f8fdb2825d2c49ebcd726d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-01 14:22:50 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-01 15:18:36 +0000

    dev-db/redis: add 6.0.14
    
    Bug: https://bugs.gentoo.org/793719
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest            |   1 +
 dev-db/redis/redis-6.0.14.ebuild | 187 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 188 insertions(+)

Comment 2 Rolf Eike Beer archtester

2021-06-02 14:41:01 UTC

sparc stable

Comment 3 Sam James archtester

2021-06-02 19:01:18 UTC

x86 done

Comment 4 Sam James archtester

2021-06-02 19:01:27 UTC

amd64 done

Comment 5 Sam James archtester

2021-06-02 22:41:19 UTC

arm done

Comment 6 Sam James archtester

2021-06-03 08:22:43 UTC

ppc64 done

Comment 7 Sam James archtester

2021-06-06 22:10:02 UTC

arm64 done

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2021-06-07 07:13:20 UTC

ppc stable