Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 877863 (CVE-2022-3647)

Summary: <dev-db/redis-{6.2.7-r2,7.0.5-r1}: crash on crash report
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: arkamar, proxy-maint, sam
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3
See Also: https://github.com/gentoo/gentoo/pull/27893
https://github.com/gentoo/gentoo/pull/28388
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 881065    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 20:52:28 UTC
CVE-2022-3647:

A vulnerability, which was classified as problematic, was found in Redis. Affected is the function sigsegvHandler of the file debug.c of the component Crash Report. The manipulation leads to denial of service. The name of the patch is 0bf90d944313919eb8e63d3588bf63a367f020a3. It is recommended to apply a patch to fix this issue. VDB-211962 is the identifier assigned to this vulnerability.

Patch at URL.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-11 15:10:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85442e23f002bbdbfe137a7fc15314eb6b048982

commit 85442e23f002bbdbfe137a7fc15314eb6b048982
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2022-10-22 09:52:31 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-11 15:10:06 +0000

    dev-db/redis: backport recommended patch for CVE-2022-3647 to 6.2.7
    
    The original patch does not apply cleanly, it was necessary to backport it.
    
    Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3
    Bug: https://bugs.gentoo.org/877863
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/27893
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch | 173 ++++++++++++++++++
 dev-db/redis/redis-6.2.7-r2.ebuild                 | 198 +++++++++++++++++++++
 2 files changed, 371 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=355ad01f1b82d113b950ea3e483a7c2bc54bed6d

commit 355ad01f1b82d113b950ea3e483a7c2bc54bed6d
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2022-10-22 09:43:38 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-11 15:10:06 +0000

    dev-db/redis: apply recommended patch for CVE-2022-3647 to 7.0.5
    
    The patch is taken from upstream as is.
    
    Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3
    Bug: https://bugs.gentoo.org/877863
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch | 173 +++++++++++++++++++
 dev-db/redis/redis-7.0.5-r1.ebuild                 | 191 +++++++++++++++++++++
 2 files changed, 364 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-12 01:58:21 UTC
Thanks! Please stabilize when ready.
Comment 3 Petr Vaněk gentoo-dev 2022-11-22 19:01:51 UTC
I think GLSA is not necessary in this case.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-23 00:22:05 UTC
Great, thanks!
Comment 5 Larry the Git Cow gentoo-dev 2022-11-23 00:24:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bef961bfd119bf2f945108589261844d69260d80

commit bef961bfd119bf2f945108589261844d69260d80
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2022-11-22 18:57:12 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-23 00:23:44 +0000

    dev-db/redis: drop 6.2.7-r1, 7.0.5
    
    Bug: https://bugs.gentoo.org/877863
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/28388
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-db/redis/redis-6.2.7-r1.ebuild | 195 -------------------------------------
 dev-db/redis/redis-7.0.5.ebuild    | 188 -----------------------------------
 2 files changed, 383 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-23 00:24:39 UTC
All done, thanks!