Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 689700 (CVE-2019-10192, CVE-2019-10193) - <dev-db/redis-{4.0.14,5.0.4}: multiple vulnerabilities (CVE-2019-{10192,10193})
Summary: <dev-db/redis-{4.0.14,5.0.4}: multiple vulnerabilities (CVE-2019-{10192,10193})
Status: CONFIRMED
Alias: CVE-2019-10192, CVE-2019-10193
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/antirez/redis/issu...
Whiteboard: B3 [glsa+ cve cleanup]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2019-07-12 01:52 UTC by D'juan McDonald (domhnall)
Modified: 2019-08-09 20:44 UTC (History)
3 users (show)

See Also:
Package list:
dev-db/redis-4.0.14
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-12 01:52:44 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-10193):

A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.

(https://nvd.nist.gov/vuln/detail/CVE-2019-10192):

A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.


Fixed versions already in tree.

Gentoo Security Padawan
(domhnall)
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-07-12 20:43:19 UTC
Re-opening because we have stable 4.x ebuilds in repository which are affected.

@ Arches,

please test and mark stable: =dev-db/redis-4.0.14
Comment 2 Agostino Sarubbo gentoo-dev 2019-07-15 14:17:23 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-07-17 15:25:07 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-07-18 11:43:24 UTC
ppc64 stable
Comment 5 Rolf Eike Beer 2019-07-18 19:29:34 UTC
hppa stable
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-07-21 21:49:10 UTC
arm64 stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-07-28 10:40:34 UTC
arm stable
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-03 15:14:55 UTC
@ppc, ping.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2019-08-09 20:42:51 UTC
This issue was resolved and addressed in
 GLSA 201908-04 at https://security.gentoo.org/glsa/201908-04
by GLSA coordinator Aaron Bauman (b-man).
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-09 20:44:49 UTC
re-opened for final arch and cleanup.