CVE-2020-7105 (https://nvd.nist.gov/vuln/detail/CVE-2020-7105): async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a NULL pointer dereference because malloc return values are unchecked.
Upstream patches: https://github.com/redis/hiredis/pull/754 https://github.com/redis/hiredis/pull/756
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5156bbc233ee9e74417ccde7bc7430be672cb9f commit b5156bbc233ee9e74417ccde7bc7430be672cb9f Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-20 20:21:57 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-20 20:21:57 +0000 dev-libs/hiredis: bump to v0.14.1 Bug: https://bugs.gentoo.org/710734 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/hiredis/Manifest | 1 + dev-libs/hiredis/hiredis-0.14.1.ebuild | 79 ++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+)
s390 stable
sparc stable
amd64 stable
note: cannot cleanup until we figure out what to do about dev-python/hiredis? https://github.com/gentoo/gentoo/commit/1708e9d77e76b36c82f271bd1b03ff1c72b263a0 The ABI change was minimal in this case: https://abi-laboratory.pro/index.php?view=timeline&l=hiredis
(In reply to sam_c (Security Padawan) from comment #6) > note: cannot cleanup until we figure out what to do about dev-python/hiredis? > > https://github.com/gentoo/gentoo/commit/ > 1708e9d77e76b36c82f271bd1b03ff1c72b263a0 > > The ABI change was minimal in this case: > https://abi-laboratory.pro/index.php?view=timeline&l=hiredis I misunderstood what this meant, please ignore!
arm stable
x86 stable
ia64 stable
ppc stable
hppa stable
ppc64 stable
arm64 stable
@maintainer(s), please cleanup
Arches, Thank you for your work. GLSA Vote: Yes Maintainer(s), please drop the vulnerable version(s).
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e63f04c278459cbb77c1631048619f55139b948 commit 7e63f04c278459cbb77c1631048619f55139b948 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-04-10 22:12:13 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-10 22:12:13 +0000 dev-libs/hiredis: security cleanup Bug: https://bugs.gentoo.org/710734 Package-Manager: Portage-2.3.98, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/hiredis/Manifest | 2 - dev-libs/hiredis/hiredis-0.13.3.ebuild | 79 ---------------------------------- dev-libs/hiredis/hiredis-0.14.0.ebuild | 79 ---------------------------------- 3 files changed, 160 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2acf7b525f116eb46f7a62ee404f7d62bb18c712 commit 2acf7b525f116eb46f7a62ee404f7d62bb18c712 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-04-09 03:40:15 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-04-12 06:29:06 +0000 dev-libs/hiredis: drop vulnerable Bug: https://bugs.gentoo.org/710734 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15272 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/hiredis/Manifest | 2 - dev-libs/hiredis/hiredis-0.13.3.ebuild | 79 ---------------------------------- dev-libs/hiredis/hiredis-0.14.0.ebuild | 79 ---------------------------------- 3 files changed, 160 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=affbbbb69cedad882ac9906141f2f63d7d9f3525 commit affbbbb69cedad882ac9906141f2f63d7d9f3525 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-04-11 05:17:08 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-04-12 06:29:01 +0000 dev-python/hiredis: drop to ~arch, cleanup Needed to clean up vulnerable dev-libs/hiredis. No reverse dependencies. Bug: https://bugs.gentoo.org/710734 Acked-by: Michał Górny <mgorny@gentoo.org> Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-python/hiredis/Manifest | 1 - dev-python/hiredis/hiredis-0.2.0-r1.ebuild | 21 --------------------- dev-python/hiredis/hiredis-0.2.0-r3.ebuild | 24 ------------------------ 3 files changed, 46 deletions(-)
No GLSA. Tree is clean.