Bug 23200

Summary: redis new security issues CVE-2018-11218 and CVE-2018-11219
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: redis-4.0.7-1.mga6.src.rpm CVE:
Status comment:
Attachments: Python script to reproduce CVE-2018-11218 problem

Description David Walser 2018-06-18 22:41:39 CEST 
Debian has issued an advisory on June 17:
https://www.debian.org/security/2018/dsa-4230

The issues are fixed upstream in 4.0.10 (already updated in Cauldron):
http://antirez.com/news/119
Comment 1 David GEIGER 2018-06-19 16:17:59 CEST 
Done also for mga6!
Comment 2 David Walser 2018-06-20 13:15:37 CEST 
Advisory:
========================

Updated redis package fixes security vulnerabilities:

Multiple vulnerabilities were discovered in the Lua subsystem of Redis which
could result in denial of service (CVE-2018-11218, CVE-2018-11219).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11219
http://antirez.com/news/119
https://www.debian.org/security/2018/dsa-4230
========================

Updated packages in core/updates_testing:
========================
redis-4.0.10-1.mga6

from redis-4.0.10-1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Herman Viaene 2018-07-01 10:28:55 CEST 
MGA6-32 on IBM Thinkpad R50e MATE
Ref. to bug 22465 Comment 4 and bug 19158 Comment 2 and the raw commands attachment.
# systemctl  start redis
# systemctl -l status redis
● redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/redis.service.d
           └─limit.conf
   Active: active (running) since zo 2018-07-01 10:11:10 CEST; 15s ago
 Main PID: 15912 (redis-server)
   CGroup: /system.slice/redis.service
           └─15912 /usr/bin/redis-server 127.0.0.1:6379                

jul 01 10:11:10 <pcid> systemd[1]: Started Redis persistent key-value database.
$ redis-cli < redistutorial 
OK
"pluto"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK
(integer) 1
(integer) 2
(integer) 3
1) "David"
2) "Suzy"
3) "Zack"
1) "David"
2) "Suzy"
1) "Suzy"
2) "Zack"
Seems OK

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2018-07-05 01:16:56 CEST 
Mageia 6, x86_64

At least one reproducer for CVE-2018-11218, at https://gist.github.com/antirez/82445fcbea6d9b19f97014cc6cc79f8a.

Following up on this later.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-07-05 09:11:13 CEST 
Created attachment 10269 [details]
Python script to reproduce CVE-2018-11218 problem

Described at https://github.com/antirez/redis/commit/52a00201fca331217c3b4b8b634f6a0f57d6b7d3
Note that it does not seem to work.
Comment 6 Len Lawrence 2018-07-05 12:11:09 CEST 
Before the update:
redis-4.0.7-1.mga6

CVE-2018-11218

Created the trigger.py script referred to on the link quoted in comment 4.
Started the redis service and ran the trigger - no effect on the server.
$ python trigger.py
$ systemctl status -l redis
● redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset
  Drop-In: /usr/lib/systemd/system/redis.service.d
           └─limit.conf
   Active: active (running) since Thu 2018-07-05 08:16:41 BST; 48s ago
  Process: 26362 ExecStop=/usr/libexec/redis-shutdown (code=exited, status=0/SUCCESS)
 Main PID: 26369 (redis-server)
   CGroup: /system.slice/redis.service
           └─26369 /usr/bin/redis-server 127.0.0.1:6379                

The expected result is a "stack smash" resulting in a DoS which is supposed to crash the server.  Since there is no sign of that one may conclude that the problem had already been fixed in earlier versions but note that https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES indicates that it was not fixed until 4.0.10.

CVE-2018-11219

https://github.com/antirez/redis/commit/e89086e09a38cc6713bcd4b9c29abf92cf393936

$ lua -e "return struct.unpack('f', 'xxxxxxxxxxxxx', -3)"
lua: (command line):1: attempt to index global 'struct' (a nil value)
stack traceback:
	(command line):1: in main chunk
	[C]: in ?

This looks like a coding problem and a misunderstanding on my part so it is best to skip it.

Updated to redis-4.0.10-1 and restarted the server.

Ran the tutorial script against redis-cli and produced the same output as comment 3.  repeating the script here:
SET server:name "pluto"
GET server:name
set connections 7
incr connections 
incr connections
get connections
del connections
incr connections
set resource:lock "Redis Demo 1"
expire resource:lock 40
ttl resource:lock
ttl resource:lock
ttl resource:lock
set resource:lock "Demo 2"
rpush friends "Suzy"
rpush friends "Zack"
lpush friends "David"
lrange friends 0 -1
lrange friends 0 1
lrange friends 1 2
exit

No regressions so this is good for 64-bits as well.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Len Lawrence 2018-07-07 01:03:14 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-07-11 22:21:09 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2018-07-11 23:09:10 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0309.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 David Walser 2019-01-19 17:06:25 CET 
This update also fixed CVE-2018-12326:
https://bugzilla.redhat.com/show_bug.cgi?id=1594291