Bug 32406

Summary:	Redis new security issue CVE-2023-45145
Product:	Mageia	Reporter:	Stig-Ørjan Smelror <smelror>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, chb0, herman.viaene, marja11, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:		CVE:	CVE-2023-45145
Status comment:	Fixed upstream in version 7.0.14/7.2.2

Description Stig-Ørjan Smelror 2023-10-18 13:53:57 CEST

Upstream have released version 7.0.14/7.2.2 to fix CVE-2023-45145.

(CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
race condition that can be used by another process to bypass desired Unix
socket permissions on startup.

https://github.com/redis/redis/releases/tag/7.0.14

Stig-Ørjan Smelror 2023-10-18 13:55:13 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2023-45145
Status comment: (none) => Fixed upstream in version 7.0.14/7.2.2

Comment 1 Stig-Ørjan Smelror 2023-10-18 14:33:38 CEST

Cauldron updated.

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 2 Stig-Ørjan Smelror 2023-10-18 14:36:27 CEST

Advisory
========
Redis upstream published a fix for CVE-2023-45145.

CVE-2023-45145: The wrong order of listen(2) and chmod(2) calls creates a
race condition that can be used by another process to bypass desired Unix
socket permissions on startup.


References
==========
https://github.com/redis/redis/releases/tag/7.0.14


Files
=====

Uploaded to core/updates_testing

redis-7.0.14-1.mga9

from redis-7.0.14-1.mga9.src.rpm

Assignee: smelror => qa-bugs

Comment 3 Marja Van Waes 2023-10-19 18:27:30 CEST

Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

CC: (none) => marja11
Keywords: (none) => advisory

Comment 4 christian barranco 2023-10-22 21:38:24 CEST

Installed using qarepo; no issue.

Service runs fine after update:

```
● redis.service - Redis persistent key-value database
     Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/redis.service.d
             └─limit.conf
     Active: active (running) since Sun 2023-10-22 19:39:33 CEST; 56s ago
   Main PID: 21333 (redis-server)
      Tasks: 5 (limit: 38410)
     Memory: 2.8M
        CPU: 55ms
     CGroup: /system.slice/redis.service
             └─21333 "/usr/bin/redis-server unixsocket:/tmp/redis.sock"

oct. 22 19:39:33 cbct-serv systemd[1]: Started redis.service.
```

Extract of log, before and after the update. It looks like it works as before. 
The WARNING Memory overcommit was there before the update. I have never noticed it.
Should I care about it?
```
1621:M 22 Oct 2023 19:22:27.005 * 10 changes in 300 seconds. Saving...
1621:M 22 Oct 2023 19:22:27.005 * Background saving started by pid 20255
20255:C 22 Oct 2023 19:22:27.034 * DB saved on disk
20255:C 22 Oct 2023 19:22:27.035 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB
1621:M 22 Oct 2023 19:22:27.105 * Background saving terminated with success
1621:M 22 Oct 2023 19:27:33.386 * 10 changes in 300 seconds. Saving...
1621:M 22 Oct 2023 19:27:33.386 * Background saving started by pid 20262
20262:C 22 Oct 2023 19:27:33.413 * DB saved on disk
20262:C 22 Oct 2023 19:27:33.414 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB
1621:M 22 Oct 2023 19:27:33.486 * Background saving terminated with success
1621:M 22 Oct 2023 19:32:34.050 * 10 changes in 300 seconds. Saving...
1621:M 22 Oct 2023 19:32:34.050 * Background saving started by pid 20788
20788:C 22 Oct 2023 19:32:34.078 * DB saved on disk
20788:C 22 Oct 2023 19:32:34.079 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB
1621:M 22 Oct 2023 19:32:34.150 * Background saving terminated with success
1621:M 22 Oct 2023 19:37:55.177 * 10 changes in 300 seconds. Saving...
1621:M 22 Oct 2023 19:37:55.177 * Background saving started by pid 21236
21236:C 22 Oct 2023 19:37:55.205 * DB saved on disk
21236:C 22 Oct 2023 19:37:55.205 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB
1621:M 22 Oct 2023 19:37:55.278 * Background saving terminated with success
1621:signal-handler (1697996373) Received SIGTERM scheduling shutdown...
1621:M 22 Oct 2023 19:39:33.401 # User requested shutdown...
1621:M 22 Oct 2023 19:39:33.401 * Saving the final RDB snapshot before exiting.
1621:M 22 Oct 2023 19:39:33.408 * DB saved on disk
1621:M 22 Oct 2023 19:39:33.408 * Removing the pid file.
1621:M 22 Oct 2023 19:39:33.408 * Removing the unix socket file.
1621:M 22 Oct 2023 19:39:33.408 # Redis is now ready to exit, bye bye...
21333:C 22 Oct 2023 19:39:33.434 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
21333:C 22 Oct 2023 19:39:33.434 # Redis version=7.0.14, bits=64, commit=00000000, modified=0, pid=21333, just started
21333:C 22 Oct 2023 19:39:33.434 # Configuration loaded
21333:M 22 Oct 2023 19:39:33.434 * monotonic clock: POSIX clock_gettime
                _._                                                  
           _.-``__ ''-._                                             
      _.-``    `.  `_.  ''-._           Redis 7.0.14 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._                                  
 (    '      ,       .-`  | `,    )     Running in standalone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 0
 |    `-._   `._    /     _.-'    |     PID: 21333
  `-._    `-._  `-./  _.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |           https://redis.io       
  `-._    `-._`-.__.-'_.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |                                  
  `-._    `-._`-.__.-'_.-'    _.-'                                   
      `-._    `-.__.-'    _.-'                                       
          `-._        _.-'                                           
              `-.__.-'                                               

21333:M 22 Oct 2023 19:39:33.434 # Server initialized
21333:M 22 Oct 2023 19:39:33.434 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
21333:M 22 Oct 2023 19:39:33.434 * Loading RDB produced by version 7.0.11
21333:M 22 Oct 2023 19:39:33.434 * RDB age 0 seconds
21333:M 22 Oct 2023 19:39:33.434 * RDB memory usage when created 1.47 Mb
21333:M 22 Oct 2023 19:39:33.436 * Done loading RDB, keys loaded: 2446, keys expired: 0.
21333:M 22 Oct 2023 19:39:33.436 * DB loaded from disk: 0.001 seconds
21333:M 22 Oct 2023 19:39:33.436 * The server is now ready to accept connections at /tmp/redis.sock
21333:signal-handler (1697996588) Received SIGTERM scheduling shutdown...
21333:M 22 Oct 2023 19:43:08.529 # User requested shutdown...
21333:M 22 Oct 2023 19:43:08.529 * Saving the final RDB snapshot before exiting.
21333:M 22 Oct 2023 19:43:08.547 * DB saved on disk
21333:M 22 Oct 2023 19:43:08.547 * Removing the pid file.
21333:M 22 Oct 2023 19:43:08.547 * Removing the unix socket file.
21333:M 22 Oct 2023 19:43:08.547 # Redis is now ready to exit, bye bye...
1623:C 22 Oct 2023 19:45:19.878 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
1623:C 22 Oct 2023 19:45:19.882 # Redis version=7.0.14, bits=64, commit=00000000, modified=0, pid=1623, just started
1623:C 22 Oct 2023 19:45:19.882 # Configuration loaded
1623:M 22 Oct 2023 19:45:19.883 * monotonic clock: POSIX clock_gettime
                _._                                                  
           _.-``__ ''-._                                             
      _.-``    `.  `_.  ''-._           Redis 7.0.14 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._                                  
 (    '      ,       .-`  | `,    )     Running in standalone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 0
 |    `-._   `._    /     _.-'    |     PID: 1623
  `-._    `-._  `-./  _.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |           https://redis.io       
  `-._    `-._`-.__.-'_.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |                                  
  `-._    `-._`-.__.-'_.-'    _.-'                                   
      `-._    `-.__.-'    _.-'                                       
          `-._        _.-'                                           
              `-.__.-'                                               

1623:M 22 Oct 2023 19:45:19.892 # Server initialized
1623:M 22 Oct 2023 19:45:19.892 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
1623:M 22 Oct 2023 19:45:19.893 * Loading RDB produced by version 7.0.14
1623:M 22 Oct 2023 19:45:19.893 * RDB age 131 seconds
1623:M 22 Oct 2023 19:45:19.893 * RDB memory usage when created 1.45 Mb
1623:M 22 Oct 2023 19:45:19.897 * Done loading RDB, keys loaded: 2444, keys expired: 1.
1623:M 22 Oct 2023 19:45:19.897 * DB loaded from disk: 0.004 seconds
1623:M 22 Oct 2023 19:45:19.897 * The server is now ready to accept connections at /tmp/redis.sock
1623:M 22 Oct 2023 19:50:20.008 * 10 changes in 300 seconds. Saving...
1623:M 22 Oct 2023 19:50:20.009 * Background saving started by pid 19091
19091:C 22 Oct 2023 19:50:20.037 * DB saved on disk
19091:C 22 Oct 2023 19:50:20.037 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB
1623:M 22 Oct 2023 19:50:20.109 * Background saving terminated with success
```

CC: (none) => chb0

Comment 5 Herman Viaene 2023-10-24 16:35:37 CEST

MGA9-64 Xfce on Acer Aspire 5253
No installation issues
No  redis before on this machine, so nothing much to see.
# systemctl start redis
# systemctl -l status redis
● redis.service - Redis persistent key-value database
     Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/redis.service.d
             └─limit.conf
     Active: active (running) since Tue 2023-10-24 16:32:01 CEST; 14s ago
   Main PID: 59779 (redis-server)
      Tasks: 5 (limit: 4317)
     Memory: 2.7M
        CPU: 104ms
     CGroup: /system.slice/redis.service
             └─59779 "/usr/bin/redis-server 127.0.0.1:6379"

Oct 24 16:32:01 mach7.hviaene.thuis systemd[1]: Started redis.service.
Good enugh unless someone wants to delve deeper into this.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2023-10-24 19:13:35 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2023-10-24 19:27:08 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0301.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED