Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 633824 (CVE-2017-15047)

Summary: <dev-db/redis-5.0.9: Insufficient input validation in the clusterLoadConfig function
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hydrapolic, robbat2, ultrabug
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1499152
See Also: https://bugs.gentoo.org/show_bug.cgi?id=724776
Whiteboard: C2 [glsa+ cve cleanup]
Package list:
dev-db/redis-5.0.9-r1
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 724776    

Description Agostino Sarubbo gentoo-dev 2017-10-09 09:07:53 UTC 
From ${URL} :

The clusterLoadConfig function in cluster.c in Redis allows local attackers to cause a denial of service (out-of-bounds array index and application crash) or possibly have unspecified other impact by 
leveraging "limited access to the machine."

Upstream issue:

https://github.com/antirez/redis/issues/4278


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 22:06:18 UTC 
@maintainer(s), please bump to 5.0.9.
Comment 3 Tomáš Mózes 2020-07-24 10:32:11 UTC 
(In reply to Sam James from comment #2)
> @maintainer(s), please bump to 5.0.9.

In tree
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-24 16:54:02 UTC 
Ready to stable?
Comment 5 NATTkA bot gentoo-dev 2020-07-26 16:25:55 UTC 
Unable to check for sanity:

> no match for package: dev-db/redis-5.0.9
Comment 6 Tomáš Mózes 2020-07-26 17:47:33 UTC 
Fine for me.
Comment 7 NATTkA bot gentoo-dev 2020-07-26 17:50:16 UTC 
All sanity-check issues have been resolved
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 02:45:54 UTC 
(In reply to Tomáš Mózes from comment #6)
> Fine for me.

OK.
Comment 9 Rolf Eike Beer archtester 2020-07-28 21:57:00 UTC 
hppa stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 04:10:03 UTC 
arm stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2020-08-01 14:54:55 UTC 
ppc/ppc64 stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-05 01:17:21 UTC 
arm64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-08-05 13:53:27 UTC 
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-08-05 14:17:23 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2020-08-27 18:12:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d93fc026adfcd8e9e46fd290fca412431554d01e

commit d93fc026adfcd8e9e46fd290fca412431554d01e
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-08-27 18:11:40 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-08-27 18:11:40 +0000

    dev-db/redis: drop vulnerable 5.0.8
    
    Bug: https://bugs.gentoo.org/633824
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-db/redis/Manifest           |   1 -
 dev-db/redis/redis-5.0.8.ebuild | 160 ----------------------------------------
 2 files changed, 161 deletions(-)
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-08-27 23:57:23 UTC 
This issue was resolved and addressed in
 GLSA 202008-17 at https://security.gentoo.org/glsa/202008-17
by GLSA coordinator Sam James (sam_c).