Bug 816318

Summary:	<dev-libs/hiredis-1.0.1: Integer overflow (CVE-2021-32765)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	sam
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=821346
Whiteboard:	B2 [glsa+ cleanup]
Package list:		Runtime testing required:	---
Bug Depends on:	820170
Bug Blocks:	873076

Description Sam James archtester

2021-10-05 03:59:31 UTC

CVE-2021-32765 (https://wiki.sei.cmu.edu/confluence/display/c/MEM07-C.+Ensure+that+the+arguments+to+calloc%28%29%2C+when+multiplied%2C+do+not+wrap):

Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Users of hiredis who are unable to update may set the [maxelements](https://github.com/redis/hiredis#reader-max-array-elements) context option to a value small enough that no overflow is possible.

Comment 1 Larry the Git Cow gentoo-dev

2021-10-05 04:09:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24428f0153ac66a130c29e4c9a91b161f3da6278

commit 24428f0153ac66a130c29e4c9a91b161f3da6278
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-10-05 04:07:00 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-10-05 04:08:51 +0000

    dev-libs/hiredis: add 1.0.1
    
    Bug: https://bugs.gentoo.org/816318
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/hiredis/Manifest             |  1 +
 dev-libs/hiredis/hiredis-1.0.1.ebuild | 87 +++++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2021-10-31 15:48:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0e1a56eed02c79bc1a261e3d13c9fe0c4a728e8

commit a0e1a56eed02c79bc1a261e3d13c9fe0c4a728e8
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2021-10-31 12:34:29 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2021-10-31 15:48:23 +0000

    dev-python/hiredis: Revision bump for CVE-2021-32765
    
    It includes a bundled copy of dev-libs/hiredis and is suffering the same
    security issue.
    
    URL: https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2
    Bug: https://bugs.gentoo.org/816318
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 .../files/hiredis-2.0.0-CVE-2021-32765.patch       | 36 ++++++++++++++++++++++
 dev-python/hiredis/hiredis-2.0.0-r2.ebuild         | 36 ++++++++++++++++++++++
 2 files changed, 72 insertions(+)

Comment 3 Sven Wegener gentoo-dev

2021-10-31 15:53:55 UTC

dev-db/redis also bundles a copy.

Comment 4 John Helmert III archtester

2022-10-22 02:01:29 UTC

GLSA request filed.

Comment 5 Larry the Git Cow gentoo-dev

2022-10-31 01:42:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=46c10a2105787fddef62e75588d0eed768cad8b5

commit 46c10a2105787fddef62e75588d0eed768cad8b5
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:29:20 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:17 +0000

    [ GLSA 202210-32 ] hiredis, hiredis-py: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/816318
    Bug: https://bugs.gentoo.org/873079
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-32.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)