Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 898464 (CVE-2022-36021, CVE-2023-25155)

Summary: <dev-db/redis-{6.2.11,7.0.9}: Multiple vulnerabilities
Product: Gentoo Security Reporter: Petr Vaněk <arkamar>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: arkamar, proxy-maint, sam
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/29860
https://github.com/gentoo/gentoo/pull/30278
Whiteboard: B2 [stable]
Package list:
Runtime testing required: ---
Bug Depends on: 910235, 914574, 899692, 905692    
Bug Blocks:    

Description Petr Vaněk 2023-02-28 16:51:37 UTC 
(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD
commands can trigger an integer overflow, resulting in a runtime assertion
and termination of the Redis server process.
(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially
crafted pattern to trigger a denial-of-service attack on Redis, causing it to
hang and consume 100% CPU time.
Comment 1 Larry the Git Cow gentoo-dev 2023-03-04 07:18:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b047cf7cc49995aa8b810708882f24896080e1b0

commit b047cf7cc49995aa8b810708882f24896080e1b0
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-02-28 17:16:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-04 07:18:05 +0000

    dev-db/redis: add 7.0.9
    
    Bug: https://bugs.gentoo.org/898464
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/29860
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest           |   1 +
 dev-db/redis/redis-7.0.9.ebuild | 187 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 188 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9ba556eacf53179b6a32e482357927bbb0d214e

commit c9ba556eacf53179b6a32e482357927bbb0d214e
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-02-28 17:12:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-04 07:18:04 +0000

    dev-db/redis: add 6.2.11
    
    Bug: https://bugs.gentoo.org/898464
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest            |   1 +
 dev-db/redis/redis-6.2.11.ebuild | 195 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 196 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-03-22 01:20:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19681fd5fa178dc41d2f61225a0958ea3b538224

commit 19681fd5fa178dc41d2f61225a0958ea3b538224
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-03-21 08:07:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-22 01:17:37 +0000

    dev-db/redis: drop 6.2.10, 7.0.8
    
    Bug: https://bugs.gentoo.org/891169
    Bug: https://bugs.gentoo.org/898464
    Bug: https://bugs.gentoo.org/902501
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/30278
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest            |   2 -
 dev-db/redis/redis-6.2.10.ebuild | 195 ---------------------------------------
 dev-db/redis/redis-7.0.8.ebuild  | 187 -------------------------------------
 3 files changed, 384 deletions(-)