Bug 898464 (CVE-2022-36021, CVE-2023-25155)

Summary:	<dev-db/redis-{6.2.11,7.0.9}: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Petr Vaněk <arkamar>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	normal	CC:	arkamar, proxy-maint, sam
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/29860 https://github.com/gentoo/gentoo/pull/30278
Whiteboard:	B2 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	899692, 905692, 910235, 914574
Bug Blocks:

Description Petr Vaněk gentoo-dev

2023-02-28 16:51:37 UTC

(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD
commands can trigger an integer overflow, resulting in a runtime assertion
and termination of the Redis server process.
(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially
crafted pattern to trigger a denial-of-service attack on Redis, causing it to
hang and consume 100% CPU time.

Comment 1 Larry the Git Cow gentoo-dev

2023-03-04 07:18:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b047cf7cc49995aa8b810708882f24896080e1b0

commit b047cf7cc49995aa8b810708882f24896080e1b0
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-02-28 17:16:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-04 07:18:05 +0000

    dev-db/redis: add 7.0.9
    
    Bug: https://bugs.gentoo.org/898464
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/29860
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest           |   1 +
 dev-db/redis/redis-7.0.9.ebuild | 187 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 188 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9ba556eacf53179b6a32e482357927bbb0d214e

commit c9ba556eacf53179b6a32e482357927bbb0d214e
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-02-28 17:12:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-04 07:18:04 +0000

    dev-db/redis: add 6.2.11
    
    Bug: https://bugs.gentoo.org/898464
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest            |   1 +
 dev-db/redis/redis-6.2.11.ebuild | 195 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 196 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-03-22 01:20:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19681fd5fa178dc41d2f61225a0958ea3b538224

commit 19681fd5fa178dc41d2f61225a0958ea3b538224
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-03-21 08:07:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-22 01:17:37 +0000

    dev-db/redis: drop 6.2.10, 7.0.8
    
    Bug: https://bugs.gentoo.org/891169
    Bug: https://bugs.gentoo.org/898464
    Bug: https://bugs.gentoo.org/902501
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/30278
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest            |   2 -
 dev-db/redis/redis-6.2.10.ebuild | 195 ---------------------------------------
 dev-db/redis/redis-7.0.8.ebuild  | 187 -------------------------------------
 3 files changed, 384 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2024-01-09 14:24:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40f0aeee0d9ab31c81a869f258821733048f7423

commit 40f0aeee0d9ab31c81a869f258821733048f7423
Author:     Petr Vaněk <arkamar@gentoo.org>
AuthorDate: 2024-01-09 14:12:04 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2024-01-09 14:23:54 +0000

    dev-db/redis: drop versions
    
    This commit drops most of vulnerable versions, however, security
    cleanups are still blocked because of 7.0.5 which is the last stable
    version for arm.
    
    Bug: https://bugs.gentoo.org/891169
    Bug: https://bugs.gentoo.org/898464
    Bug: https://bugs.gentoo.org/902501
    Bug: https://bugs.gentoo.org/904486
    Bug: https://bugs.gentoo.org/910191
    Bug: https://bugs.gentoo.org/913741
    Bug: https://bugs.gentoo.org/915989
    Bug: https://bugs.gentoo.org/921662
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 dev-db/redis/Manifest                              |   7 -
 dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch | 173 ------------------
 dev-db/redis/redis-6.2.11.ebuild                   | 195 --------------------
 dev-db/redis/redis-6.2.13.ebuild                   | 195 --------------------
 dev-db/redis/redis-6.2.7-r2.ebuild                 | 198 --------------------
 dev-db/redis/redis-7.0.12.ebuild                   | 187 -------------------
 dev-db/redis/redis-7.0.13.ebuild                   | 187 -------------------
 dev-db/redis/redis-7.0.9.ebuild                    | 187 -------------------
 dev-db/redis/redis-7.2.2.ebuild                    | 200 ---------------------
 9 files changed, 1529 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2024-01-10 10:18:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a7e6b8769400cbbd7e4f3161d8c7dfdd62af8af

commit 3a7e6b8769400cbbd7e4f3161d8c7dfdd62af8af
Author:     Petr Vaněk <arkamar@gentoo.org>
AuthorDate: 2024-01-10 10:05:04 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2024-01-10 10:16:11 +0000

    dev-db/redis: destabilize 7.0.5-r1 for ~arm
    
    Dropping the stable keyword for arm architecture due to a lack of
    security stabilization for over a year.
    
    Bug: https://bugs.gentoo.org/891169
    Bug: https://bugs.gentoo.org/898464
    Bug: https://bugs.gentoo.org/902501
    Bug: https://bugs.gentoo.org/904486
    Bug: https://bugs.gentoo.org/910191
    Bug: https://bugs.gentoo.org/913741
    Bug: https://bugs.gentoo.org/915548#c6
    Bug: https://bugs.gentoo.org/915989
    Bug: https://bugs.gentoo.org/918847
    Bug: https://bugs.gentoo.org/921662
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 dev-db/redis/redis-7.0.5-r1.ebuild        | 4 ++--
 profiles/arch/arm/package.use.stable.mask | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

Comment 5 Larry the Git Cow gentoo-dev

2024-01-10 12:28:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8942d96c5ff1a45db0922d9e5e4403b050494bf6

commit 8942d96c5ff1a45db0922d9e5e4403b050494bf6
Author:     Petr Vaněk <arkamar@gentoo.org>
AuthorDate: 2024-01-10 12:25:59 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2024-01-10 12:27:32 +0000

    dev-db/redis: drop 7.0.5-r1
    
    Bug: https://bugs.gentoo.org/891169
    Bug: https://bugs.gentoo.org/898464
    Bug: https://bugs.gentoo.org/902501
    Bug: https://bugs.gentoo.org/904486
    Bug: https://bugs.gentoo.org/910191
    Bug: https://bugs.gentoo.org/913741
    Bug: https://bugs.gentoo.org/915989
    Bug: https://bugs.gentoo.org/921662
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 dev-db/redis/Manifest                              |   1 -
 .../files/redis-7.0.4-replica-tests-fix.patch      |  61 -------
 dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch | 173 -------------------
 dev-db/redis/redis-7.0.5-r1.ebuild                 | 191 ---------------------
 4 files changed, 426 deletions(-)