Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 841404 (CVE-2022-24735, CVE-2022-24736) - <dev-db/redis-6.2.7: Multiple vulnerabilities
Summary: <dev-db/redis-6.2.7: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-24735, CVE-2022-24736
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable?]
Keywords:
Depends on: 841407 841422
Blocks:
  Show dependency tree
 
Reported: 2022-04-28 01:51 UTC by Sam James
Modified: 2022-04-28 07:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-28 01:51:24 UTC
From 6.2.6 release notes:
"""
Security Fixes:
* (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
  can cause NULL pointer dereference which will result with a crash of the
  redis-server process. This issue affects all versions of Redis.
  [reported by Aviv Yahav].
* (CVE-2022-24735) By exploiting weaknesses in the Lua script execution
  environment, an attacker with access to Redis can inject Lua code that will
  execute with the (potentially higher) privileges of another Redis user.
  [reported by Aviv Yahav].
"""
Comment 1 Larry the Git Cow gentoo-dev 2022-04-28 02:18:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb357ae44b7e9fbff0d9d9df54370c6796d706cb

commit bb357ae44b7e9fbff0d9d9df54370c6796d706cb
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-28 02:17:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-28 02:17:59 +0000

    dev-db/redis: drop 5.0.14, 6.0.16
    
    Bug: https://bugs.gentoo.org/841404
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest                           |   2 -
 dev-db/redis/files/redis-3.2.3-config.patch     |  40 -----
 dev-db/redis/files/redis-5.0-sharedlua.patch    |  60 --------
 dev-db/redis/files/redis-5.0.8-ppc-atomic.patch |  19 ---
 dev-db/redis/files/redis-6.0.12-sharedlua.patch |  60 --------
 dev-db/redis/redis-5.0.14.ebuild                | 164 --------------------
 dev-db/redis/redis-6.0.16.ebuild                | 189 ------------------------
 7 files changed, 534 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8db611a4cadc177118641ff3146f1ea46f12808

commit e8db611a4cadc177118641ff3146f1ea46f12808
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-28 02:14:54 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-28 02:17:58 +0000

    dev-db/redis: add 6.2.7
    
    Bug: https://bugs.gentoo.org/841404
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest           |   1 +
 dev-db/redis/redis-6.2.7.ebuild | 190 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 191 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-28 02:18:38 UTC
sorry, 6.2.7 release notes.
Comment 3 Larry the Git Cow gentoo-dev 2022-04-28 02:38:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=850894a9e88d1b711cfd3036878848f5e59690b5

commit 850894a9e88d1b711cfd3036878848f5e59690b5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-28 02:37:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-28 02:37:30 +0000

    Revert "dev-db/redis: drop 5.0.14, 6.0.16"
    
    This reverts commit bb357ae44b7e9fbff0d9d9df54370c6796d706cb.
    
    dev-ruby/redis still needs 5*
    
    Bug: https://bugs.gentoo.org/841404
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/redis/Manifest                           |   2 +
 dev-db/redis/files/redis-3.2.3-config.patch     |  40 +++++
 dev-db/redis/files/redis-5.0-sharedlua.patch    |  60 ++++++++
 dev-db/redis/files/redis-5.0.8-ppc-atomic.patch |  19 +++
 dev-db/redis/files/redis-6.0.12-sharedlua.patch |  60 ++++++++
 dev-db/redis/redis-5.0.14.ebuild                | 164 ++++++++++++++++++++
 dev-db/redis/redis-6.0.16.ebuild                | 189 ++++++++++++++++++++++++
 7 files changed, 534 insertions(+)