Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 565188 (CVE-2015-8080)

Summary: <dev-db/redis-3.0.7: Integer wraparound in lua_struct.c causing stack-based buffer overflow
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bugs, hydrapolic, lu_zero, proxy-maint, robbat2, ultrabug
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1278965
Whiteboard: B3 [glsa cve]
Package list:
=dev-db/redis-3.0.7
Runtime testing required: ---
Bug Depends on: 586968    
Bug Blocks: 551274    

Description Agostino Sarubbo gentoo-dev 2015-11-09 08:49:17 UTC
From ${URL} :

It was found that getnum() function in lua_struct.c is vulnerable to integer overflow that can be used to trigger stack-based buffer overflow. getnum() can be tricked into an integer wraparound with a large size number as input, thus returning a negative value. 
Affected versions of redis are 2.8 and 3.0.

Vulnerable code:

static int getnum (const char **fmt, int df) {
  if (!isdigit(**fmt))  /* no number? */
    return df;  /* return default value */
  else {
    int a = 0;
    do {
      a = a*10 + *((*fmt)++) - '0';
    } while (isdigit(**fmt));
    return a;
  }
}

static size_t optsize (lua_State *L, char opt, const char **fmt) {
  switch (opt) {
[...]
    case 'c': return getnum(fmt, 1);
    case 'i': case 'I': {
      int sz = getnum(fmt, sizeof(int));
      if (sz > MAXINTSIZE)
        luaL_error(L, "integral size %d is larger than limit of %d",
                       sz, MAXINTSIZE);
      return sz;
    }
    default: return 0;  /* other cases do not need alignment */
  }
}

Upstream bug report (including reproducer):

https://github.com/antirez/redis/issues/2855

CVE assignment:

http://seclists.org/oss-sec/2015/q4/231


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-10-01 18:45:04 UTC
@ Maintainers: As of today, the latest 2.8.x version in tree (2.8.23) is still vulnerable. Please bump to 2.8.24 or drop the 2.8.x.

For 3.0.x branch, this was fixed with v3.0.6 (https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-db/redis?id=7ffd92f12385548bb62e749cf7d79a7e7f68f32f).

Please call for stabilization (probably =dev-db/redis-3.0.7) after deciding how to process with v2.8.x branch.
Comment 2 Ultrabug gentoo-dev 2016-11-19 11:25:38 UTC
I'd like to drop 2.8.x tbh

Robin, would you agree ?
Comment 3 Ultrabug gentoo-dev 2016-11-19 11:43:09 UTC
@arches please stabilize:
=dev-db/redis-3.0.7
Comment 4 Ultrabug gentoo-dev 2016-11-19 11:43:27 UTC
*** Bug 586968 has been marked as a duplicate of this bug. ***
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-20 13:05:38 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-11-20 13:09:08 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2016-11-29 17:33:45 UTC
arm stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 12:09:58 UTC
Stable for HPPA PPC64.
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 02:02:16 UTC
No ACE/RCE, downgraded to B3.

GLSA Vote: No



@ Maintainer(s): Please cleanup and drop <dev-db/redis-3.0.7!
Comment 10 Ultrabug gentoo-dev 2017-02-10 13:09:20 UTC
Cleanup done
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-10 22:33:40 UTC
Because we have to create a GLSA for another vulnerability in redis we will add this vulnerability to the same request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-02-20 23:35:18 UTC
This issue was resolved and addressed in
 GLSA 201702-16 at https://security.gentoo.org/glsa/201702-16
by GLSA coordinator Thomas Deutschmann (whissi).