Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 877863 (CVE-2022-3647) - <dev-db/redis-{6.2.7-r2,7.0.5-r1}: crash on crash report
Summary: <dev-db/redis-{6.2.7-r2,7.0.5-r1}: crash on crash report
Status: RESOLVED FIXED
Alias: CVE-2022-3647
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/redis/redis/commit...
Whiteboard: B3 [noglsa]
Keywords: PullRequest
Depends on: 881065
Blocks:
  Show dependency tree
 
Reported: 2022-10-21 20:52 UTC by John Helmert III
Modified: 2022-11-23 00:24 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 20:52:28 UTC
CVE-2022-3647:

A vulnerability, which was classified as problematic, was found in Redis. Affected is the function sigsegvHandler of the file debug.c of the component Crash Report. The manipulation leads to denial of service. The name of the patch is 0bf90d944313919eb8e63d3588bf63a367f020a3. It is recommended to apply a patch to fix this issue. VDB-211962 is the identifier assigned to this vulnerability.

Patch at URL.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-11 15:10:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85442e23f002bbdbfe137a7fc15314eb6b048982

commit 85442e23f002bbdbfe137a7fc15314eb6b048982
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2022-10-22 09:52:31 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-11 15:10:06 +0000

    dev-db/redis: backport recommended patch for CVE-2022-3647 to 6.2.7
    
    The original patch does not apply cleanly, it was necessary to backport it.
    
    Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3
    Bug: https://bugs.gentoo.org/877863
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/27893
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch | 173 ++++++++++++++++++
 dev-db/redis/redis-6.2.7-r2.ebuild                 | 198 +++++++++++++++++++++
 2 files changed, 371 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=355ad01f1b82d113b950ea3e483a7c2bc54bed6d

commit 355ad01f1b82d113b950ea3e483a7c2bc54bed6d
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2022-10-22 09:43:38 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-11 15:10:06 +0000

    dev-db/redis: apply recommended patch for CVE-2022-3647 to 7.0.5
    
    The patch is taken from upstream as is.
    
    Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3
    Bug: https://bugs.gentoo.org/877863
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch | 173 +++++++++++++++++++
 dev-db/redis/redis-7.0.5-r1.ebuild                 | 191 +++++++++++++++++++++
 2 files changed, 364 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-12 01:58:21 UTC
Thanks! Please stabilize when ready.
Comment 3 Petr Vaněk 2022-11-22 19:01:51 UTC
I think GLSA is not necessary in this case.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-23 00:22:05 UTC
Great, thanks!
Comment 5 Larry the Git Cow gentoo-dev 2022-11-23 00:24:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bef961bfd119bf2f945108589261844d69260d80

commit bef961bfd119bf2f945108589261844d69260d80
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2022-11-22 18:57:12 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-23 00:23:44 +0000

    dev-db/redis: drop 6.2.7-r1, 7.0.5
    
    Bug: https://bugs.gentoo.org/877863
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/28388
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-db/redis/redis-6.2.7-r1.ebuild | 195 -------------------------------------
 dev-db/redis/redis-7.0.5.ebuild    | 188 -----------------------------------
 2 files changed, 383 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-23 00:24:39 UTC
All done, thanks!