Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 633824 (CVE-2017-15047) - <dev-db/redis-5.0.9: Insufficient input validation in the clusterLoadConfig function
Summary: <dev-db/redis-5.0.9: Insufficient input validation in the clusterLoadConfig f...
Alias: CVE-2017-15047
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: C2 [glsa+ cve cleanup]
Depends on:
Blocks: CVE-2020-14147
  Show dependency tree
Reported: 2017-10-09 09:07 UTC by Agostino Sarubbo
Modified: 2020-08-27 23:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-10-09 09:07:53 UTC
From ${URL} :

The clusterLoadConfig function in cluster.c in Redis allows local attackers to cause a denial of service (out-of-bounds array index and application crash) or possibly have unspecified other impact by 
leveraging "limited access to the machine."

Upstream issue:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 22:06:18 UTC
@maintainer(s), please bump to 5.0.9.
Comment 3 Tomáš Mózes 2020-07-24 10:32:11 UTC
(In reply to Sam James from comment #2)
> @maintainer(s), please bump to 5.0.9.

In tree
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-24 16:54:02 UTC
Ready to stable?
Comment 5 NATTkA bot gentoo-dev 2020-07-26 16:25:55 UTC
Unable to check for sanity:

> no match for package: dev-db/redis-5.0.9
Comment 6 Tomáš Mózes 2020-07-26 17:47:33 UTC
Fine for me.
Comment 7 NATTkA bot gentoo-dev 2020-07-26 17:50:16 UTC
All sanity-check issues have been resolved
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 02:45:54 UTC
(In reply to Tomáš Mózes from comment #6)
> Fine for me.

Comment 9 Rolf Eike Beer archtester 2020-07-28 21:57:00 UTC
hppa stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 04:10:03 UTC
arm stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2020-08-01 14:54:55 UTC
ppc/ppc64 stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-05 01:17:21 UTC
arm64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-08-05 13:53:27 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-08-05 14:17:23 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2020-08-27 18:12:14 UTC
The bug has been referenced in the following commit(s):

commit d93fc026adfcd8e9e46fd290fca412431554d01e
Author:     Aaron Bauman <>
AuthorDate: 2020-08-27 18:11:40 +0000
Commit:     Aaron Bauman <>
CommitDate: 2020-08-27 18:11:40 +0000

    dev-db/redis: drop vulnerable 5.0.8
    Signed-off-by: Aaron Bauman <>

 dev-db/redis/Manifest           |   1 -
 dev-db/redis/redis-5.0.8.ebuild | 160 ----------------------------------------
 2 files changed, 161 deletions(-)
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-08-27 23:57:23 UTC
This issue was resolved and addressed in
 GLSA 202008-17 at
by GLSA coordinator Sam James (sam_c).