Bug 22465

Summary: redis new security issue CVE-2017-15047
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, joequant, mageia, marja11, smelror, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: redis-4.0.2-1.mga7.src.rpm CVE: CVE-2017-15047
Status comment:

Description David Walser 2018-01-26 05:37:15 CET 
openSUSE has issued an advisory tomorrow (January 26):
https://lists.opensuse.org/opensuse-updates/2018-01/msg00096.html

The issue was fixed upstream in 4.0.3.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-01-26 05:37:22 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-01-26 05:37:58 CET 
Here's the actual openSUSE advisory:
https://lists.opensuse.org/opensuse-updates/2018-01/msg00099.html
Comment 2 Marja Van Waes 2018-01-26 07:12:27 CET 
Assigning to all packagers collectively, since the registered maintainer for this package is most likely unavailable.

CC: (none) => joequant, mageia, marja11
Assignee: bugsquad => pkg-bugs

Stig-Ørjan Smelror 2018-01-27 14:14:27 CET

Assignee: pkg-bugs => smelror
CC: (none) => smelror
Whiteboard: MGA6TOO => MGA6TOO MGA5TOO

Stig-Ørjan Smelror 2018-01-27 17:56:31 CET

Whiteboard: MGA6TOO MGA5TOO => MGA6TOO

Comment 3 Stig-Ørjan Smelror 2018-01-27 18:55:52 CET 
Advisory:
========================

Redis has been updated to fix a security issue.

The following vulnerabilities were fixed:
- CVE-2017-15047: Buffer overflows occurring reading redis.conf
(bsc#1061967)

The following bugs are fixed:
- Several PSYNC2 bugs could cause data corruption

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-15047
https://bugzilla.suse.com/1061967
https://lists.opensuse.org/opensuse-updates/2018-01/msg00099.html


Updated packages in core/updates_testing:
========================
redis-4.0.7-1.mga6

from redis-4.0.7-1.mga6.src.rpm

Keywords: (none) => advisory
Assignee: smelror => qa-bugs
CVE: (none) => CVE-2017-15047

Thomas Backlund 2018-01-27 19:23:59 CET

Version: Cauldron => 6
CC: (none) => tmb
Whiteboard: MGA6TOO => (none)

Comment 4 Herman Viaene 2018-02-02 10:53:43 CET 
MGA6-32 on Dell Latitude D600 Mate
No installation issues
Tried to follow bug 19158 Comment 2
# systemctl  start redis
# systemctl -l status redis
● redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/redis.service.d
           └─limit.conf
   Active: active (running) since vr 2018-02-02 10:32:43 CET; 3s ago
 Main PID: 14360 (redis-server)
   CGroup: /system.slice/redis.service
           └─14360 /usr/bin/redis-server 127.0.0.1:6379                

feb 02 10:32:43 xxx.yyy.zzz systemd[1]: Started Redis persistent key-value database.
then
$ redis-cli < tutorial 
OK
"pluto"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK
(integer) 1
(integer) 2
(integer) 3
1) "David"
2) "Suzy"
3) "Zack"
1) "David"
2) "Suzy"
1) "Suzy"
2) "Zack"
looks OK
but then I have no idea what this .rediscli_history is about , nor does this item exist anywhere on my system.
Leaving to more knowledgeable people to judge this test.

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2018-02-05 11:02:45 CET 
Mageia 6 :: x86_64

Downgraded redis (updated  via another bug test)
# systemctl enable redis
# systemctl start redis
# systemctl status redis
● redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset
  Drop-In: /usr/lib/systemd/system/redis.service.d
           └─limit.conf
   Active: failed (Result: exit-code) since Mon 2018-02-05 09:39:48 GMT; 11s ago
  Process: 17915 ExecStop=/usr/libexec/redis-shutdown (code=exited, status=1/FAI
  Process: 17911 ExecStart=/usr/bin/redis-server /etc/redis.conf --daemonize no 
 Main PID: 17911 (code=exited, status=1/FAILURE)

Feb 05 09:39:48 vega systemd[1]: Started Redis persistent key-value database.
Feb 05 09:39:48 vega systemd[1]: redis.service: Main process exited, code=exited
Feb 05 09:39:48 vega systemd[1]: redis.service: Control process exited, code=exi
Feb 05 09:39:48 vega systemd[1]: redis.service: Unit entered failed state.
Feb 05 09:39:48 vega systemd[1]: redis.service: Failed with result 'exit-code'.
# systemctl disable redis

Presumably the failure is due to the bug.

Update redis again.
# systemctl enable redis
Created symlink /etc/systemd/system/multi-user.target.wants/redis.service → /usr/lib/systemd/system/redis.service.
# systemctl start redis
# systemctl status redis
● redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset
  Drop-In: /usr/lib/systemd/system/redis.service.d
           └─limit.conf
   Active: active (running) since Mon 2018-02-05 09:45:31 GMT; 7s ago
 Main PID: 27607 (redis-server)
   CGroup: /system.slice/redis.service
           └─27607 /usr/bin/redis-server 127.0.0.1:6379                

Feb 05 09:45:31 vega systemd[1]: Started Redis persistent key-value database.

I wondered where Herman found this 'tutorial' and ran locate on my system and discovered it was a relic from a previous QA test.
$ cat tutorial
SET server:name "pluto"
GET server:name
set connections 7
incr connections 
incr connections
get connections
del connections
incr connections
set resource:lock "Redis Demo 1"
expire resource:lock 40
ttl resource:lock
ttl resource:lock
ttl resource:lock
set resource:lock "Demo 2"
rpush friends "Suzy"
rpush friends "Zack"
lpush friends "David"
lrange friends 0 -1
lrange friends 0 1
lrange friends 1 2
exit

and when run against redis-cli produces the output which Herman lists.

.rediscli_history seems to be some kind of log but it does not make much sense to me.
$ ll .rediscli_history
-rw------- 1 lcl lcl 30 Feb  5 09:47 .rediscli_history
$ cat .rediscli_history
ps aux | grep redis
exit
quit

However, the update works, and Herman, you can OK your test.

CC: (none) => tarazed25

Len Lawrence 2018-02-05 11:03:05 CET

Whiteboard: (none) => MGA6-64-OK

Herman Viaene 2018-02-05 11:52:43 CET

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Len Lawrence 2018-02-05 12:04:32 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Dave Hodgins 2018-02-06 07:54:23 CET 
Stig-Ørjan Smelror, please note that the advisory keyword should not be added
until the advisory has been committed to svn. In this case ...
http://svnweb.mageia.org/advisories/22465.adv?view=log

The info in the suggested advisory in the bug report is used to create the
advisory in svn, in the proper format to allow the automated tools to push
the correct srpms from updates testing to updates, and to create the advisories
sent to subscribers of
https://ml.mageia.org/l/arc/updates-announce

The advisory has now been committed to svn.

CC: (none) => davidwhodgins

Comment 7 Stig-Ørjan Smelror 2018-02-06 09:44:48 CET 
(In reply to Dave Hodgins from comment #6)
> Stig-Ørjan Smelror, please note that the advisory keyword should not be added
> until the advisory has been committed to svn. In this case ...
> http://svnweb.mageia.org/advisories/22465.adv?view=log
> 
> The info in the suggested advisory in the bug report is used to create the
> advisory in svn, in the proper format to allow the automated tools to push
> the correct srpms from updates testing to updates, and to create the
> advisories
> sent to subscribers of
> https://ml.mageia.org/l/arc/updates-announce
> 
> The advisory has now been committed to svn.

Thank you. Initially I thought it was when the advisory was added here.

Cheers,
Stig
Comment 8 Mageia Robot 2018-02-06 16:36:01 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0119.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED