Bug 29036

Summary:	redis new security issues CVE-2021-2947[78] and CVE-2021-32761
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	herman.viaene, mageia, ouaurelien, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	redis-6.0.11-1.mga8.src.rpm	CVE:	CVE-2021-2947[78] and CVE-2021-32761
Status comment:

Description David Walser 2021-05-30 03:33:43 CEST

Fedora has issued an advisory on March 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BPWBIZXA67JFIB63W2CNVVILCGIC2ME5/

It looks like we are actually only affected by CVE-2021-29477.

The issue is fixed upstream in 6.0.13.

David Walser 2021-05-30 03:33:57 CEST

CC: (none) => mageia
Status comment: (none) => Fixed upstream in 6.0.13

Comment 1 Lewis Smith 2021-05-30 20:52:06 CEST

In cauldron we have 6.0.11, then 6.2.0-6.2.3. All these were done by Stig, so assigning the bug to you.

Assignee: bugsquad => smelror

Comment 2 David Walser 2021-06-06 19:17:08 CEST

openSUSE has issued an advisory on June 5:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/B74HW6HBAH5TAP4L5LLUY3KI4JBTVQS3/

The issue (CVE-2021-32625) is fixed upstream in 6.0.14 and 6.2.4.  It wouldn't go in our update advisory, as it's a CVE for an incomplete fix for CVE-2021-29477.

Status comment: Fixed upstream in 6.0.13 => Fixed upstream in 6.0.14

Comment 3 David Walser 2021-06-14 00:00:16 CEST

Fedora has issued an advisory for this on June 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/

Comment 4 David Walser 2021-06-14 00:12:47 CEST

Fedora advisory for 6.0.x:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/

Comment 5 David Walser 2021-07-23 21:47:00 CEST

Debian-LTS has issued an advisory on July 22:
https://www.debian.org/lts/security/2021/dla-2717

The issue is fixed upstream in 6.0.15:
https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj

Status comment: Fixed upstream in 6.0.14 => Fixed upstream in 6.0.15
Summary: redis new security issues CVE-2021-29477 and CVE-2021-29478 => redis new security issues CVE-2021-2947[78] and CVE-2021-32761

Comment 6 Stig-Ørjan Smelror 2021-07-24 10:44:50 CEST

Advisory
========

Redis has been updated to fix several security issues.

CVE-2021-29477: An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution.

CVE-2021-29478: An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution.

CVE-2021-32761: A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution.

References
==========
https://www.opencve.io/cve/CVE-2021-29477
https://www.opencve.io/cve/CVE-2021-29478
https://www.opencve.io/cve/CVE-2021-32761
https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj


Files
=====

Uploaded to core/updates_testing

redis-6.0.15-1.mga8

from redis-6.0.15-1.mga8.src.rpm

Assignee: smelror => qa-bugs

David Walser 2021-07-24 14:34:45 CEST

Status comment: Fixed upstream in 6.0.15 => (none)

Comment 7 Herman Viaene 2021-07-24 15:18:50 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues
Ref bug 24042Comment 1 for testing with thetutorial file. Repeating all results here as there are a few minor differences in the texts.
# systemctl start redis

# systemctl -l status redis
● redis.service - Redis persistent key-value database
     Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/redis.service.d
             └─limit.conf
     Active: active (running) since Sat 2021-07-24 15:05:36 CEST; 16s ago
   Main PID: 13659 (redis-server)
      Tasks: 5 (limit: 9402)
     Memory: 1.7M
        CPU: 43ms
     CGroup: /system.slice/redis.service
             └─13659 /usr/bin/redis-server 127.0.0.1:6379

jul 24 15:05:36 mach5.hviaene.thuis systemd[1]: Started Redis persistent key-value database.
Then as normal user:
$ redis-cli < tutorialredis.txt 
OK
"pluto"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK
(integer) 1
(integer) 2
(integer) 3
1) "David"
2) "Suzy"
3) "Zack"
1) "David"
2) "Suzy"
1) "Suzy"
2) "Zack"

$ redis-cli
127.0.0.1:6379> lrange friends 1-2<stop>
(error) ERR wrong number of arguments for 'lrange' command
127.0.0.1:6379> lrange friends 1 2
1) "Suzy"
2) "Zack"
127.0.0.1:6379> GET server:name
"pluto"
127.0.0.1:6379> set resource:lock "Demo 2"
OK
127.0.0.1:6379> expire "Demo 2" 10
(integer) 0
127.0.0.1:6379> ttl resource:lock
(integer) -1
127.0.0.1:6379> ttl resource:lock
(integer) -1
127.0.0.1:6379> lpush friends "Lucy"
(integer) 4
127.0.0.1:6379> lrange friends 7 7
(empty array)
127.0.0.1:6379> lrange friends 0 0
1) "Lucy"
127.0.0.1:6379> lrange friends 0 -1
1) "Lucy"
2) "David"
3) "Suzy"
4) "Zack"
127.0.0.1:6379> exit

OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 8 Aurelien Oudelet 2021-07-25 12:39:34 CEST

Validating.

type: security
subject: Updated redis package fixes security vulnerabilities
CVE:
 - CVE-2021-29477
 - CVE-2021-29478
 - CVE-2021-32761
src:
  8:
   core:
     - redis-6.0.15-1.mga8
description: |
  An integer overflow bug in Redis version 6.0 or newer could be exploited using
  the `STRALGO LCS` command to corrupt the heap and potentially result with
  remote code execution (CVE-2021-29477).
  
  An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to
  corrupt the heap and potentially result with remote code execution
  (CVE-2021-29478).
  
  A vulnerability involving out-of-bounds read and integer overflow to buffer
  overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15
  and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer
  overflow that can potentially be exploited to corrupt the heap, leak arbitrary
  heap contents or trigger remote code execution (CVE-2021-32761).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29036
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BPWBIZXA67JFIB63W2CNVVILCGIC2ME5/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/
 - https://www.debian.org/lts/security/2021/dla-2717
 - https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-2947[78] and CVE-2021-32761
CC: (none) => ouaurelien, sysadmin-bugs

Comment 9 Mageia Robot 2021-07-25 16:46:26 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0373.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED