Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 724776 (CVE-2020-14147) - <dev-db/redis-{5.0.8,6.0.3}: Incomplete fix for CVE-2015-8080 (CVE-2020-14147)
Summary: <dev-db/redis-{5.0.8,6.0.3}: Incomplete fix for CVE-2015-8080 (CVE-2020-14147)
Status: RESOLVED FIXED
Alias: CVE-2020-14147
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/antirez/redis/comm...
Whiteboard: B3 [glsa+ cleanup cve]
Keywords:
Depends on: CVE-2017-15047
Blocks:
  Show dependency tree
 
Reported: 2020-05-23 13:34 UTC by Sam James
Modified: 2020-08-27 23:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-05-23 13:34:37 UTC
See linked commit and PR: https://github.com/antirez/redis/pull/6875.

"The vulnerability is from the Lua source code that you already patched in Dec. 2015. However, as a result of the Lua update in May 2018 (commit: 1eb08bc), the vulnerability patch was removed during the update process."
Comment 1 Sam James archtester gentoo-dev Security 2020-05-23 13:44:24 UTC
This also affects the 5.x series, with a backport commit (no release yet): https://github.com/antirez/redis/commit/16b2d07f0a9b58027611dab7f97788d37cb5ab84

Releases since 5.0-rc3, including all of 6.x until the new 6.0.3 (just released, not in tree), are vulnerable.
Comment 2 Sam James archtester gentoo-dev Security 2020-05-30 22:05:14 UTC
What's the plan for 5.x, btw?
Comment 3 Tomáš Mózes 2020-05-31 07:37:51 UTC
(In reply to Sam James (sec padawan) from comment #2)
> What's the plan for 5.x, btw?

The fix is included in version 5.0.9 (in tree).
Comment 4 Tomáš Mózes 2020-05-31 07:40:27 UTC
According to the changelog, it was included in 5.0.8 too (https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES)

================================================================================
Redis 5.0.8     Released Thu Mar 12 16:05:41 CET 2020
================================================================================

Upgrade urgency HIGH: This release fixes security issues.

...

Seunghoon Woo in commit 16b2d07f:
 [FIX] revisit CVE-2015-8080 vulnerability
 1 file changed, 6 insertions(+), 4 deletions(-)
Comment 5 Sam James archtester gentoo-dev Security 2020-06-15 18:04:28 UTC
(In reply to Tomáš Mózes from comment #4)
> According to the changelog, it was included in 5.0.8 too
> (https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES)
> 
> =============================================================================
> ===
> Redis 5.0.8     Released Thu Mar 12 16:05:41 CET 2020
> =============================================================================
> ===
> 
> Upgrade urgency HIGH: This release fixes security issues.
> 
> ...
> 
> Seunghoon Woo in commit 16b2d07f:
>  [FIX] revisit CVE-2015-8080 vulnerability
>  1 file changed, 6 insertions(+), 4 deletions(-)

Thank you.

@maintainer(s), please cleanup.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-08-27 23:57:28 UTC
This issue was resolved and addressed in
 GLSA 202008-17 at https://security.gentoo.org/glsa/202008-17
by GLSA coordinator Sam James (sam_c).