Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 689700 (CVE-2019-10192, CVE-2019-10193) - <dev-db/redis-{4.0.14,5.0.4}: multiple vulnerabilities (CVE-2019-{10192,10193})
Summary: <dev-db/redis-{4.0.14,5.0.4}: multiple vulnerabilities (CVE-2019-{10192,10193})
Status: RESOLVED FIXED
Alias: CVE-2019-10192, CVE-2019-10193
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/antirez/redis/issu...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 698436 713922
Blocks:
  Show dependency tree
 
Reported: 2019-07-12 01:52 UTC by D'juan McDonald (domhnall)
Modified: 2020-06-20 01:09 UTC (History)
3 users (show)

See Also:
Package list:
dev-db/redis-4.0.14
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-12 01:52:44 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-10193):

A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.

(https://nvd.nist.gov/vuln/detail/CVE-2019-10192):

A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.


Fixed versions already in tree.

Gentoo Security Padawan
(domhnall)
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-07-12 20:43:19 UTC
Re-opening because we have stable 4.x ebuilds in repository which are affected.

@ Arches,

please test and mark stable: =dev-db/redis-4.0.14
Comment 2 Agostino Sarubbo gentoo-dev 2019-07-15 14:17:23 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-07-17 15:25:07 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-07-18 11:43:24 UTC
ppc64 stable
Comment 5 Rolf Eike Beer 2019-07-18 19:29:34 UTC
hppa stable
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-07-21 21:49:10 UTC
arm64 stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-07-28 10:40:34 UTC
arm stable
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-03 15:14:55 UTC
@ppc, ping.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2019-08-09 20:42:51 UTC
This issue was resolved and addressed in
 GLSA 201908-04 at https://security.gentoo.org/glsa/201908-04
by GLSA coordinator Aaron Bauman (b-man).
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-09 20:44:49 UTC
re-opened for final arch and cleanup.
Comment 11 Sam James gentoo-dev Security 2020-03-19 23:44:50 UTC
@ppc: wake up please :)
Comment 12 Tomáš Mózes 2020-03-20 05:59:24 UTC
Pending PR to make redis working on ppc:

https://github.com/gentoo/gentoo/pull/14994
Comment 13 Sam James gentoo-dev Security 2020-05-04 11:18:12 UTC
@ppc: ping now fix was merged
Comment 14 ernsteiswuerfel 2020-05-04 20:43:18 UTC
(In reply to Sam James (sec padawan) from comment #13)
> @ppc: ping now fix was merged

redis-5.0.8 builds fine now but redis-4.0.14 still fails. Seems the fix was only applied to 5.0.8.
Comment 15 Tomáš Mózes 2020-05-05 04:50:15 UTC
Let's forget about redis 4, now even 6.x is out.
Comment 16 Sam James gentoo-dev Security 2020-05-30 19:47:30 UTC
(In reply to Tomáš Mózes from comment #15)
> Let's forget about redis 4, now even 6.x is out.

Is there a PR to remove it from tree?
Comment 17 Tomáš Mózes 2020-05-30 22:02:02 UTC
(In reply to Sam James (sec padawan) from comment #16)
> (In reply to Tomáš Mózes from comment #15)
> > Let's forget about redis 4, now even 6.x is out.
> 
> Is there a PR to remove it from tree?

I tried, but we need to stabilize 5.x on hppa, then we can drop 4.x.
Comment 18 Sam James gentoo-dev Security 2020-05-30 22:04:29 UTC
(In reply to Tomáš Mózes from comment #17)
> (In reply to Sam James (sec padawan) from comment #16)
> > (In reply to Tomáš Mózes from comment #15)
> > > Let's forget about redis 4, now even 6.x is out.
> > 
> > Is there a PR to remove it from tree?
> 
> I tried, but we need to stabilize 5.x on hppa, then we can drop 4.x.

Gotcha. Thank you :)
Comment 19 Tomáš Mózes 2020-05-31 08:15:44 UTC
This seems obsolete as 5.0.8 is stable on ppc, please consider closing.