Bug 26978

Summary:	redis new security issue CVE-2020-14147
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, sysadmin-bugs, tarazed25, zombie_ryushu
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	redis-5.0.5-1.mga7.src.rpm	CVE:
Status comment:

Description David Walser 2020-07-21 18:06:11 CEST

Debian has issued an advisory on July 19:
https://www.debian.org/security/2020/dsa-4731

The issue is fixed upstream in 5.0.8.

Comment 1 Stig-Ørjan Smelror 2020-07-21 18:28:05 CEST

What do you suggest?

To update to 5.0.8, 5.0.9 or go for 6.0.6 released recently?

Cheers,
Stig

Comment 2 David Walser 2020-07-21 18:47:49 CEST

5.0.9 sounds like the best bet (newest in our current branch).

Comment 3 Stig-Ørjan Smelror 2020-07-21 22:13:30 CEST

Advisory
========

Redis has been updated to fix a security issue.

CVE-2020-14147 - An integer overflow in the getnum function in lua_struct.c 

References
==========
https://nvd.nist.gov/vuln/detail/CVE-2020-14147
https://www.debian.org/security/2020/dsa-4731

Files
=====

Uploaded to core/updates_testing

redis-5.0.9-1.mga7

from redis-5.0.9-1.mga7.src.rpm

Assignee: smelror => qa-bugs

Comment 4 Len Lawrence 2020-07-24 17:17:45 CEST

mga7, x86_64

CVE-2020-14147
https://github.com/redis/redis/issues/2855
This is a "simple" PoC used iwith an earlier version of redis, recommended to reproduce the stack-based buffer overflow in the latest version.  However, there is no direction on how to use it - cannot get it to work here because lua does not include structs from what I read elsewhere.  The Lua programming manual does not mention them.
$ lua
Lua 5.3.5  Copyright (C) 1994-2018 Lua.org, PUC-Rio
> EVAL "struct.pack('>I2147483648', '10')" 0
stdin:1: unexpected symbol near '0'
> struct.pack('>I2147483648', '10')
stdin:1: attempt to index a nil value (global 'struct')
stack traceback:
	stdin:1: in main chunk
	[C]: in ?

Giving up on that.

Tested redis before updating by starting the redis service and running a tutorial script against redis-cli which produced the expected results.
The script was last used on https://bugs.mageia.org/show_bug.cgi?id=24042

Updated redis.
$ sudo systemctl restart redis.service
$ redis-cli
127.0.0.1:6379> get server:name
"pluto"
127.0.0.1:6379> exit

So, the database is persistent.
Ran the tutorial script using a new server name.

$ redis-cli < tutorial
OK
"rapunzel"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK
(integer) 4
(integer) 5
(integer) 6
1) "David"
2) "David"
3) "Suzy"
4) "Zack"
5) "Suzy"
6) "Zack"
1) "David"
2) "David"
1) "David"
2) "Suzy"

Made some trivial changes to the tutorial script:

$ redis-cli < tutorial
OK
"rapunzel"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK

(integer) 7
(integer) 8
(integer) 9

1) "Polly"
2) "David"
3) "David"
4) "Suzy"
5) "Zack"
6) "Suzy"
7) "Zack"
8) "Sukie"
9) "Zack"

1) "Polly"
2) "David"

1) "David"
2) "David"

No regressions.  Giving this an OK for 64-bits.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2020-07-25 15:14:02 CEST

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2020-07-31 11:04:54 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2020-08-01 01:28:16 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0312.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2020-12-19 23:52:21 CET

*** Bug 27881 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu