Bug 26255

Summary: hiredis new security issue CVE-2020-7105
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: hiredis-0.13.3-5.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-02-25 14:40:39 CET 
Fedora has issued an advisory on February 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZKOTCIYFEWJJILUGL4JQ3CJAM3TWYZ2A/

Mageia 7 is also affected.
David Walser 2020-02-25 14:40:47 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-02-25 19:51:38 CET 
No evident maintainer, so assigning this globally; CC'ing DavidG who has recently touched it.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210

Comment 2 David GEIGER 2020-02-25 20:53:00 CET 
Done for both Cauldron and mga7!
Comment 3 David Walser 2020-02-25 21:46:12 CET 
Advisory:
========================

Updated hiredis packages fix security vulnerability:

async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a NULL
pointer dereference because malloc return values are unchecked (CVE-2020-7105).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7105
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZKOTCIYFEWJJILUGL4JQ3CJAM3TWYZ2A/
========================

Updated packages in core/updates_testing:
========================
libhiredis0.13-0.13.3-4.1.mga7
libhiredis-devel-0.13.3-4.1.mga7

from hiredis-0.13.3-4.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7

Comment 4 Len Lawrence 2020-02-26 21:04:00 CET 
mga7, x86_64

Before updating installed tellico and created a book collection with two entries.

Updated the two packages and ran tellico under strace.

It picked up the book collection OK.  Displayed the entries then started a music collection.

$ strace -o tellico.trace tellico
$ grep hiredis tellico.trace
openat(AT_FDCWD, "/lib64/libhiredis.so.0.13", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libhiredis.so.0.13", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/lib64/libhiredis.so.0.13", O_RDONLY) = 23

Opened the music collection and printed out one of the entries.
Tellico works and libhiredis0.13 by inference.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-02-28 01:11:08 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-29 13:45:50 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2020-02-29 14:43:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0109.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED