Summary: | <dev-db/redis-{7.0.15,7.2.4}: Buffer resizing issue leading to heap overflow and potential RCE | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Petr Vaněk <arkamar> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | arkamar, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/redis/redis/security/advisories/GHSA-xr47-pcmx-fq2m | ||
Whiteboard: | B2 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 921760 | ||
Bug Blocks: |
Description
Petr Vaněk
2024-01-09 13:08:05 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=228445783982f7b9542880cdf012012e2e2eb70b commit 228445783982f7b9542880cdf012012e2e2eb70b Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-09 13:43:27 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-09 13:53:43 +0000 dev-db/redis: add 7.2.4 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-7.2.4.ebuild | 200 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=acafb49e3711af6725ce1d921927608b5d50bec9 commit acafb49e3711af6725ce1d921927608b5d50bec9 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-09 13:41:23 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-09 13:53:42 +0000 dev-db/redis: add 7.0.15 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-7.0.15.ebuild | 187 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40f0aeee0d9ab31c81a869f258821733048f7423 commit 40f0aeee0d9ab31c81a869f258821733048f7423 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-09 14:12:04 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-09 14:23:54 +0000 dev-db/redis: drop versions This commit drops most of vulnerable versions, however, security cleanups are still blocked because of 7.0.5 which is the last stable version for arm. Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 7 - dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch | 173 ------------------ dev-db/redis/redis-6.2.11.ebuild | 195 -------------------- dev-db/redis/redis-6.2.13.ebuild | 195 -------------------- dev-db/redis/redis-6.2.7-r2.ebuild | 198 -------------------- dev-db/redis/redis-7.0.12.ebuild | 187 ------------------- dev-db/redis/redis-7.0.13.ebuild | 187 ------------------- dev-db/redis/redis-7.0.9.ebuild | 187 ------------------- dev-db/redis/redis-7.2.2.ebuild | 200 --------------------- 9 files changed, 1529 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a7e6b8769400cbbd7e4f3161d8c7dfdd62af8af commit 3a7e6b8769400cbbd7e4f3161d8c7dfdd62af8af Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-10 10:05:04 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-10 10:16:11 +0000 dev-db/redis: destabilize 7.0.5-r1 for ~arm Dropping the stable keyword for arm architecture due to a lack of security stabilization for over a year. Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915548#c6 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/918847 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/redis-7.0.5-r1.ebuild | 4 ++-- profiles/arch/arm/package.use.stable.mask | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8942d96c5ff1a45db0922d9e5e4403b050494bf6 commit 8942d96c5ff1a45db0922d9e5e4403b050494bf6 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-01-10 12:25:59 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-01-10 12:27:32 +0000 dev-db/redis: drop 7.0.5-r1 Bug: https://bugs.gentoo.org/891169 Bug: https://bugs.gentoo.org/898464 Bug: https://bugs.gentoo.org/902501 Bug: https://bugs.gentoo.org/904486 Bug: https://bugs.gentoo.org/910191 Bug: https://bugs.gentoo.org/913741 Bug: https://bugs.gentoo.org/915989 Bug: https://bugs.gentoo.org/921662 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 1 - .../files/redis-7.0.4-replica-tests-fix.patch | 61 ------- dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch | 173 ------------------- dev-db/redis/redis-7.0.5-r1.ebuild | 191 --------------------- 4 files changed, 426 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5a0d6d701e1e513f689c9b698b4225e0b36422e commit d5a0d6d701e1e513f689c9b698b4225e0b36422e Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-03-13 21:54:50 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-03-13 21:56:30 +0000 dev-db/redis: drop 7.0.14-r1, 7.2.1-r1, 7.2.3-r1 Bug: https://bugs.gentoo.org/921662 Bug: https://bugs.gentoo.org/915989 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-db/redis/Manifest | 3 - dev-db/redis/redis-7.0.14-r1.ebuild | 187 --------------------------------- dev-db/redis/redis-7.2.1-r1.ebuild | 200 ------------------------------------ dev-db/redis/redis-7.2.3-r1.ebuild | 200 ------------------------------------ 4 files changed, 590 deletions(-) |