803302 – (CVE-2021-32761) <dev-db/redis-{5.0.13, 6.0.15, 6.2.5}: integer interflow on 32 bit builds (CVE-2021-32761)

Bug 803302 (CVE-2021-32761) - <dev-db/redis-{5.0.13, 6.0.15, 6.2.5}: integer interflow on 32 bit builds (CVE-2021-32761)

Summary: <dev-db/redis-{5.0.13, 6.0.15, 6.2.5}: integer interflow on 32 bit builds (CV...

Status:	RESOLVED FIXED

Alias:	CVE-2021-32761

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://github.com/redis/redis/securi...
Whiteboard:	B1 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2021-07-22 01:41 UTC by John Helmert III
Modified:	2022-09-29 14:50 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-db/redis-5.0.13 amd64 arm arm64 ppc ppc64 x86 dev-db/redis-6.0.15 dev-db/redis-6.2.5
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-07-22 01:41:46 UTC

CVE-2021-32761:

Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Comment 1 Larry the Git Cow gentoo-dev

2021-07-22 03:23:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0f98815a09bb06475b449dd39f22f7b1db5b95b

commit e0f98815a09bb06475b449dd39f22f7b1db5b95b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-07-22 03:16:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-07-22 03:20:30 +0000

    dev-db/redis: add 6.2.5
    
    Bug: https://bugs.gentoo.org/803302
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest           |   1 +
 dev-db/redis/redis-6.2.5.ebuild | 187 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 188 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f266cf68fb019637e64c1ad59d5d9104d13ab4e

commit 3f266cf68fb019637e64c1ad59d5d9104d13ab4e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-07-22 03:16:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-07-22 03:20:29 +0000

    dev-db/redis: add 6.0.15
    
    Bug: https://bugs.gentoo.org/803302
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest            |   1 +
 dev-db/redis/redis-6.0.15.ebuild | 187 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 188 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e952405376b422bad1507756c5bfa74f14d81fed

commit e952405376b422bad1507756c5bfa74f14d81fed
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-07-22 03:16:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-07-22 03:20:28 +0000

    dev-db/redis: add 5.0.13
    
    Bug: https://bugs.gentoo.org/803302
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest            |   1 +
 dev-db/redis/redis-5.0.13.ebuild | 160 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 161 insertions(+)

Comment 2 Agostino Sarubbo gentoo-dev

2021-07-23 07:18:45 UTC

sparc stable

Comment 3 Agostino Sarubbo gentoo-dev

2021-07-23 07:19:33 UTC

x86 stable

Comment 4 Sam James archtester

2021-07-26 00:52:59 UTC

amd64 done

Comment 5 Sam James archtester

2021-07-26 00:53:20 UTC

arm done

Comment 6 Sam James archtester

2021-07-26 00:54:00 UTC

ppc done

Comment 7 Sam James archtester

2021-07-26 00:54:08 UTC

ppc64 done

Comment 8 Sam James archtester

2021-07-26 00:54:42 UTC

arm64 done

all arches done

Comment 9 Larry the Git Cow gentoo-dev

2021-08-09 16:31:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1eaf833dcc599b9408fe734b48a8a6de56289de4

commit 1eaf833dcc599b9408fe734b48a8a6de56289de4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-08-09 16:29:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-08-09 16:30:56 +0000

    dev-db/redis: drop 5.0.12, 6.0.14, 6.2.4
    
    Bug: https://bugs.gentoo.org/803302
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest            |   3 -
 dev-db/redis/redis-5.0.12.ebuild | 164 ---------------------------------
 dev-db/redis/redis-6.0.14.ebuild | 189 ---------------------------------------
 dev-db/redis/redis-6.2.4.ebuild  | 189 ---------------------------------------
 4 files changed, 545 deletions(-)

Comment 10 NATTkA bot gentoo-dev

2022-01-01 09:40:42 UTC

Unable to check for sanity:

> no match for package: dev-db/redis-5.0.13

Comment 11 Petr Vaněk gentoo-dev

2022-09-26 07:43:14 UTC

Any of affected versions is no longer in the tree for more than 1 year. Isn't it time to progress with this ticket somehow?

Comment 12 John Helmert III archtester

2022-09-26 17:59:03 UTC

(In reply to Petr Vaněk from comment #11)
> Any of affected versions is no longer in the tree for more than 1 year.
> Isn't it time to progress with this ticket somehow?

We'd like to GLSA it, but other bugs (eg bug 872278) aren't able to be cleaned up for thanks to dev-ruby/redis:

dev-ruby/redis/redis-4.7.1.ebuild:DEPEND="test? ( <dev-db/redis-7 )"

I only learned about this this morning and I'll file a bug soon. I guess we might as well GLSA them anyway and just wait for cleanup.

Comment 13 John Helmert III archtester

2022-09-26 18:07:49 UTC

(In reply to John Helmert III from comment #12)
> (In reply to Petr Vaněk from comment #11)
> > Any of affected versions is no longer in the tree for more than 1 year.
> > Isn't it time to progress with this ticket somehow?
> 
> We'd like to GLSA it, but other bugs (eg bug 872278) aren't able to be
> cleaned up for thanks to dev-ruby/redis:
> 
> dev-ruby/redis/redis-4.7.1.ebuild:DEPEND="test? ( <dev-db/redis-7 )"
> 
> I only learned about this this morning and I'll file a bug soon. I guess we
> might as well GLSA them anyway and just wait for cleanup.

Actually, sorry, looks like those issues only affect redis-7.

Comment 14 Larry the Git Cow gentoo-dev

2022-09-29 14:48:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b83b8330073185fb5605b449ed900293d014aeb

commit 3b83b8330073185fb5605b449ed900293d014aeb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:21:49 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:47:59 +0000

    [ GLSA 202209-17 ] Redis: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803302
    Bug: https://bugs.gentoo.org/816282
    Bug: https://bugs.gentoo.org/841404
    Bug: https://bugs.gentoo.org/856040
    Bug: https://bugs.gentoo.org/859181
    Bug: https://bugs.gentoo.org/872278
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-17.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

Comment 15 John Helmert III archtester

2022-09-29 14:50:32 UTC

GLSA released, all done!