Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658066 (CVE-2018-11218, CVE-2018-11219) - <dev-db/redis-{3.2.12,4.0.10}: multiple vulnerabilities (CVE-2018-{11218,11219})
Summary: <dev-db/redis-{3.2.12,4.0.10}: multiple vulnerabilities (CVE-2018-{11218,11219})
Status: RESOLVED FIXED
Alias: CVE-2018-11218, CVE-2018-11219
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://antirez.com/news/119
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-13 20:03 UTC by Kristian Fiskerstrand
Modified: 2019-08-09 20:42 UTC (History)
3 users (show)

See Also:
Package list:
dev-db/redis-4.0.10
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2018-06-13 20:03:34 UTC
Greetings,

CERT/CC is notifying you of vulnerabilities (CVE-2018-11218, and CVE-2018-11219) impacting Redis which are planned to be publicly disclosed this week on Wednesday June 13th. You may already have received information on these vulnerabilities from the Redis developer, Salvatore Sanfilippo, and if so you may ignore this message.


CVE-2018-11218 is a heap corruption vulnerability in cmsgpack
CVE-2018-11219 is an integer overflow

Patch information is available in a private GIST: https://gist.github.com/antirez/149e6d291046298814ae4a941cae6e87


CERT/CC does not intend to publish an additional vulnerability note at this time.


Regards,

Vulnerability Analysis Team
======================================================================
CERT Coordination Center
www.cert.org / cert@cert.org
##

robbat2 has acked receipt of report by email, but is travelling, maybe you can have a look at it when it goes public ultrabug?
======================================================================
Comment 1 Larry the Git Cow gentoo-dev 2018-06-17 21:12:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e499a85adc09194818908fee15698924f54f7d3

commit 3e499a85adc09194818908fee15698924f54f7d3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-06-17 21:10:10 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-06-17 21:12:36 +0000

    dev-db/redis: bump to v3.2.12
    
    Bug: https://bugs.gentoo.org/658066
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-db/redis/Manifest            |   1 +
 dev-db/redis/redis-3.2.12.ebuild | 131 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c552b81ac63dd4a200c381c2b62f1cfb3e8e91ba

commit c552b81ac63dd4a200c381c2b62f1cfb3e8e91ba
Author:     Tomas Mozes <tmozes@sygic.com>
AuthorDate: 2018-06-16 20:53:43 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-06-17 21:12:34 +0000

    dev-db/redis: bump to 4.0.10
    
    Closes: https://github.com/gentoo/gentoo/pull/8861
    Bug: https://bugs.gentoo.org/658066

 dev-db/redis/Manifest            |   1 +
 dev-db/redis/redis-4.0.10.ebuild | 141 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 142 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-06-17 23:31:43 UTC
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2018-06-18 15:43:44 UTC
amd64 stable
Comment 4 Mart Raudsepp gentoo-dev 2018-06-21 16:08:36 UTC
Still affected by bug 649556. But as it's a security stabilization again -- reluctantly stable on arm64...
Comment 5 Larry the Git Cow gentoo-dev 2018-06-24 20:23:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b792beaa5636e08180acaeda3ea4c0181c6b5307

commit b792beaa5636e08180acaeda3ea4c0181c6b5307
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 20:01:01 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 20:21:04 +0000

    dev-db/redis: stable 4.0.10 for ppc64, bug #658066
    
    Bug: https://bugs.gentoo.org/658066
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 dev-db/redis/redis-4.0.10.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35a53ca45a86c718912b52738b47a2f565b5490f

commit 35a53ca45a86c718912b52738b47a2f565b5490f
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 20:00:56 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 20:21:04 +0000

    dev-db/redis: stable 3.2.12 for ppc64, bug #658066
    
    Bug: https://bugs.gentoo.org/658066
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 dev-db/redis/redis-3.2.12.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Markus Meier gentoo-dev 2018-07-07 10:46:10 UTC
arm stable
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-30 00:16:37 UTC
@arches, ping
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-03 15:13:58 UTC
dropping STABLEREQ in favor of bug #689700
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2019-08-09 20:42:44 UTC
This issue was resolved and addressed in
 GLSA 201908-04 at https://security.gentoo.org/glsa/201908-04
by GLSA coordinator Aaron Bauman (b-man).