Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 841404 (CVE-2022-24735, CVE-2022-24736)

Summary: <dev-db/redis-6.2.7: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: arkamar, proxy-maint, sam
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/redis/redis/pull/10651
https://github.com/gentoo/gentoo/pull/26324
https://github.com/gentoo/gentoo/pull/27408
https://github.com/gentoo/gentoo/pull/27470
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 841407, 841422, 857747    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-28 01:51:24 UTC
From 6.2.6 release notes:
"""
Security Fixes:
* (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
  can cause NULL pointer dereference which will result with a crash of the
  redis-server process. This issue affects all versions of Redis.
  [reported by Aviv Yahav].
* (CVE-2022-24735) By exploiting weaknesses in the Lua script execution
  environment, an attacker with access to Redis can inject Lua code that will
  execute with the (potentially higher) privileges of another Redis user.
  [reported by Aviv Yahav].
"""
Comment 1 Larry the Git Cow gentoo-dev 2022-04-28 02:18:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb357ae44b7e9fbff0d9d9df54370c6796d706cb

commit bb357ae44b7e9fbff0d9d9df54370c6796d706cb
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-28 02:17:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-28 02:17:59 +0000

    dev-db/redis: drop 5.0.14, 6.0.16
    
    Bug: https://bugs.gentoo.org/841404
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest                           |   2 -
 dev-db/redis/files/redis-3.2.3-config.patch     |  40 -----
 dev-db/redis/files/redis-5.0-sharedlua.patch    |  60 --------
 dev-db/redis/files/redis-5.0.8-ppc-atomic.patch |  19 ---
 dev-db/redis/files/redis-6.0.12-sharedlua.patch |  60 --------
 dev-db/redis/redis-5.0.14.ebuild                | 164 --------------------
 dev-db/redis/redis-6.0.16.ebuild                | 189 ------------------------
 7 files changed, 534 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8db611a4cadc177118641ff3146f1ea46f12808

commit e8db611a4cadc177118641ff3146f1ea46f12808
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-28 02:14:54 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-28 02:17:58 +0000

    dev-db/redis: add 6.2.7
    
    Bug: https://bugs.gentoo.org/841404
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest           |   1 +
 dev-db/redis/redis-6.2.7.ebuild | 190 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 191 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-28 02:18:38 UTC
sorry, 6.2.7 release notes.
Comment 3 Larry the Git Cow gentoo-dev 2022-04-28 02:38:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=850894a9e88d1b711cfd3036878848f5e59690b5

commit 850894a9e88d1b711cfd3036878848f5e59690b5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-28 02:37:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-28 02:37:30 +0000

    Revert "dev-db/redis: drop 5.0.14, 6.0.16"
    
    This reverts commit bb357ae44b7e9fbff0d9d9df54370c6796d706cb.
    
    dev-ruby/redis still needs 5*
    
    Bug: https://bugs.gentoo.org/841404
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest                           |   2 +
 dev-db/redis/files/redis-3.2.3-config.patch     |  40 +++++
 dev-db/redis/files/redis-5.0-sharedlua.patch    |  60 ++++++++
 dev-db/redis/files/redis-5.0.8-ppc-atomic.patch |  19 +++
 dev-db/redis/files/redis-6.0.12-sharedlua.patch |  60 ++++++++
 dev-db/redis/redis-5.0.14.ebuild                | 164 ++++++++++++++++++++
 dev-db/redis/redis-6.0.16.ebuild                | 189 ++++++++++++++++++++++++
 7 files changed, 534 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-07-10 12:53:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03485050cb1becab6da142ab138b15d3fd118ccd

commit 03485050cb1becab6da142ab138b15d3fd118ccd
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2022-07-10 09:58:27 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-10 12:53:32 +0000

    dev-db/redis: drop 5.0.14, EOL
    
    5.0 line is not supported by upstream anymore and it suffers with known
    vulnerabilities.
    
    Bug: https://bugs.gentoo.org/841404
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest                        |   1 -
 dev-db/redis/files/redis-5.0-sharedlua.patch |  60 ----------
 dev-db/redis/files/redis-sentinel.confd      |  16 ---
 dev-db/redis/files/redis-sentinel.initd      |  22 ----
 dev-db/redis/files/redis.confd-r1            |  20 ----
 dev-db/redis/files/redis.initd-5             |  25 ----
 dev-db/redis/files/redis.service-3           |  14 ---
 dev-db/redis/files/redis.tmpfiles            |   2 -
 dev-db/redis/redis-5.0.14.ebuild             | 170 ---------------------------
 9 files changed, 330 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-09-25 01:21:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bde898c8b53f0c35e30431177dd0036f7f19949f

commit bde898c8b53f0c35e30431177dd0036f7f19949f
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2022-09-23 10:45:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-25 01:20:27 +0000

    dev-db/redis: drop 6.2.6
    
    Bug: https://bugs.gentoo.org/841404
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/27408
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest                          |   1 -
 dev-db/redis/files/redis-6.2.1-sharedlua.patch |  60 --------
 dev-db/redis/redis-6.2.6.ebuild                | 194 -------------------------
 3 files changed, 255 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2022-09-26 14:58:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f1f88154c6ed0311dacb5433296d5b424e8af78

commit 8f1f88154c6ed0311dacb5433296d5b424e8af78
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2022-09-25 06:06:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-26 14:58:16 +0000

    dev-db/redis: drop 6.0.16
    
    The 6.0 line did not receive any fix in last 12 months, 6.0.16
    potentially suffers with security issues and 6.2.7 should be
    sufficient replacement for those needing <dev-db/redis-7.
    
    Bug: https://bugs.gentoo.org/841404
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/27470
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest                             |   1 -
 dev-db/redis/files/redis-3.2.3-config.patch       |  40 -----
 dev-db/redis/files/redis-5.0-luajit-2.1-fix.patch |  47 -----
 dev-db/redis/files/redis-5.0.8-ppc-atomic.patch   |  19 --
 dev-db/redis/files/redis-6.0.12-sharedlua.patch   |  60 -------
 dev-db/redis/redis-6.0.16.ebuild                  | 200 ----------------------
 6 files changed, 367 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 18:06:00 UTC
GLSA request filed
Comment 8 Larry the Git Cow gentoo-dev 2022-09-29 14:48:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b83b8330073185fb5605b449ed900293d014aeb

commit 3b83b8330073185fb5605b449ed900293d014aeb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:21:49 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:47:59 +0000

    [ GLSA 202209-17 ] Redis: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803302
    Bug: https://bugs.gentoo.org/816282
    Bug: https://bugs.gentoo.org/841404
    Bug: https://bugs.gentoo.org/856040
    Bug: https://bugs.gentoo.org/859181
    Bug: https://bugs.gentoo.org/872278
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-17.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:50:13 UTC
GLSA released, all done!