Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 816318

Summary: <dev-libs/hiredis-1.0.1: Integer overflow (CVE-2021-32765)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B2 [glsa+ cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 820170    
Bug Blocks: 873076    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-05 03:59:31 UTC
CVE-2021-32765 (

Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Users of hiredis who are unable to update may set the [maxelements]( context option to a value small enough that no overflow is possible.
Comment 1 Larry the Git Cow gentoo-dev 2021-10-05 04:09:00 UTC
The bug has been referenced in the following commit(s):

commit 24428f0153ac66a130c29e4c9a91b161f3da6278
Author:     Sam James <>
AuthorDate: 2021-10-05 04:07:00 +0000
Commit:     Sam James <>
CommitDate: 2021-10-05 04:08:51 +0000

    dev-libs/hiredis: add 1.0.1
    Signed-off-by: Sam James <>

 dev-libs/hiredis/Manifest             |  1 +
 dev-libs/hiredis/hiredis-1.0.1.ebuild | 87 +++++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2021-10-31 15:48:35 UTC
The bug has been referenced in the following commit(s):

commit a0e1a56eed02c79bc1a261e3d13c9fe0c4a728e8
Author:     Sven Wegener <>
AuthorDate: 2021-10-31 12:34:29 +0000
Commit:     Sven Wegener <>
CommitDate: 2021-10-31 15:48:23 +0000

    dev-python/hiredis: Revision bump for CVE-2021-32765
    It includes a bundled copy of dev-libs/hiredis and is suffering the same
    security issue.
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Sven Wegener <>

 .../files/hiredis-2.0.0-CVE-2021-32765.patch       | 36 ++++++++++++++++++++++
 dev-python/hiredis/hiredis-2.0.0-r2.ebuild         | 36 ++++++++++++++++++++++
 2 files changed, 72 insertions(+)
Comment 3 Sven Wegener gentoo-dev 2021-10-31 15:53:55 UTC
dev-db/redis also bundles a copy.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 02:01:29 UTC
GLSA request filed.
Comment 5 Larry the Git Cow gentoo-dev 2022-10-31 01:42:06 UTC
The bug has been referenced in the following commit(s):

commit 46c10a2105787fddef62e75588d0eed768cad8b5
Author:     GLSAMaker <>
AuthorDate: 2022-10-31 01:29:20 +0000
Commit:     John Helmert III <>
CommitDate: 2022-10-31 01:40:17 +0000

    [ GLSA 202210-32 ] hiredis, hiredis-py: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: John Helmert III <>

 glsa-202210-32.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)