(https://nvd.nist.gov/vuln/detail/CVE-2019-10193): A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer. (https://nvd.nist.gov/vuln/detail/CVE-2019-10192): A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer. Fixed versions already in tree. Gentoo Security Padawan (domhnall)
Re-opening because we have stable 4.x ebuilds in repository which are affected. @ Arches, please test and mark stable: =dev-db/redis-4.0.14
amd64 stable
x86 stable
ppc64 stable
hppa stable
arm64 stable
arm stable
@ppc, ping.
This issue was resolved and addressed in GLSA 201908-04 at https://security.gentoo.org/glsa/201908-04 by GLSA coordinator Aaron Bauman (b-man).
re-opened for final arch and cleanup.
@ppc: wake up please :)
Pending PR to make redis working on ppc: https://github.com/gentoo/gentoo/pull/14994
@ppc: ping now fix was merged
(In reply to Sam James (sec padawan) from comment #13) > @ppc: ping now fix was merged redis-5.0.8 builds fine now but redis-4.0.14 still fails. Seems the fix was only applied to 5.0.8.
Let's forget about redis 4, now even 6.x is out.
(In reply to Tomáš Mózes from comment #15) > Let's forget about redis 4, now even 6.x is out. Is there a PR to remove it from tree?
(In reply to Sam James (sec padawan) from comment #16) > (In reply to Tomáš Mózes from comment #15) > > Let's forget about redis 4, now even 6.x is out. > > Is there a PR to remove it from tree? I tried, but we need to stabilize 5.x on hppa, then we can drop 4.x.
(In reply to Tomáš Mózes from comment #17) > (In reply to Sam James (sec padawan) from comment #16) > > (In reply to Tomáš Mózes from comment #15) > > > Let's forget about redis 4, now even 6.x is out. > > > > Is there a PR to remove it from tree? > > I tried, but we need to stabilize 5.x on hppa, then we can drop 4.x. Gotcha. Thank you :)
This seems obsolete as 5.0.8 is stable on ppc, please consider closing.