CVE-2021-32761: Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0f98815a09bb06475b449dd39f22f7b1db5b95b commit e0f98815a09bb06475b449dd39f22f7b1db5b95b Author: Sam James <sam@gentoo.org> AuthorDate: 2021-07-22 03:16:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-07-22 03:20:30 +0000 dev-db/redis: add 6.2.5 Bug: https://bugs.gentoo.org/803302 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-6.2.5.ebuild | 187 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f266cf68fb019637e64c1ad59d5d9104d13ab4e commit 3f266cf68fb019637e64c1ad59d5d9104d13ab4e Author: Sam James <sam@gentoo.org> AuthorDate: 2021-07-22 03:16:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-07-22 03:20:29 +0000 dev-db/redis: add 6.0.15 Bug: https://bugs.gentoo.org/803302 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-6.0.15.ebuild | 187 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e952405376b422bad1507756c5bfa74f14d81fed commit e952405376b422bad1507756c5bfa74f14d81fed Author: Sam James <sam@gentoo.org> AuthorDate: 2021-07-22 03:16:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-07-22 03:20:28 +0000 dev-db/redis: add 5.0.13 Bug: https://bugs.gentoo.org/803302 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 1 + dev-db/redis/redis-5.0.13.ebuild | 160 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 161 insertions(+)
sparc stable
x86 stable
amd64 done
arm done
ppc done
ppc64 done
arm64 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1eaf833dcc599b9408fe734b48a8a6de56289de4 commit 1eaf833dcc599b9408fe734b48a8a6de56289de4 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-08-09 16:29:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-08-09 16:30:56 +0000 dev-db/redis: drop 5.0.12, 6.0.14, 6.2.4 Bug: https://bugs.gentoo.org/803302 Signed-off-by: Sam James <sam@gentoo.org> dev-db/redis/Manifest | 3 - dev-db/redis/redis-5.0.12.ebuild | 164 --------------------------------- dev-db/redis/redis-6.0.14.ebuild | 189 --------------------------------------- dev-db/redis/redis-6.2.4.ebuild | 189 --------------------------------------- 4 files changed, 545 deletions(-)
Unable to check for sanity: > no match for package: dev-db/redis-5.0.13
Any of affected versions is no longer in the tree for more than 1 year. Isn't it time to progress with this ticket somehow?
(In reply to Petr Vaněk from comment #11) > Any of affected versions is no longer in the tree for more than 1 year. > Isn't it time to progress with this ticket somehow? We'd like to GLSA it, but other bugs (eg bug 872278) aren't able to be cleaned up for thanks to dev-ruby/redis: dev-ruby/redis/redis-4.7.1.ebuild:DEPEND="test? ( <dev-db/redis-7 )" I only learned about this this morning and I'll file a bug soon. I guess we might as well GLSA them anyway and just wait for cleanup.
(In reply to John Helmert III from comment #12) > (In reply to Petr Vaněk from comment #11) > > Any of affected versions is no longer in the tree for more than 1 year. > > Isn't it time to progress with this ticket somehow? > > We'd like to GLSA it, but other bugs (eg bug 872278) aren't able to be > cleaned up for thanks to dev-ruby/redis: > > dev-ruby/redis/redis-4.7.1.ebuild:DEPEND="test? ( <dev-db/redis-7 )" > > I only learned about this this morning and I'll file a bug soon. I guess we > might as well GLSA them anyway and just wait for cleanup. Actually, sorry, looks like those issues only affect redis-7.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b83b8330073185fb5605b449ed900293d014aeb commit 3b83b8330073185fb5605b449ed900293d014aeb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:21:49 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:47:59 +0000 [ GLSA 202209-17 ] Redis: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803302 Bug: https://bugs.gentoo.org/816282 Bug: https://bugs.gentoo.org/841404 Bug: https://bugs.gentoo.org/856040 Bug: https://bugs.gentoo.org/859181 Bug: https://bugs.gentoo.org/872278 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-17.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+)
GLSA released, all done!
