Bug 19158 - redis new security issue CVE-2013-7458
Summary: redis new security issue CVE-2013-7458
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/695958/
Whiteboard: MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-08-08 21:59 CEST by David Walser
Modified: 2016-08-31 19:34 CEST (History)
2 users (show)

See Also:
Source RPM: redis-3.0.7-6.mga6.src.rpm
CVE:
Status comment:

Attachments
Session output for redis-cli (1.32 KB, text/plain)
2016-08-26 01:31 CEST, Len Lawrence 		Details
Raw commands for redis-cli - a small sample (410 bytes, text/plain)
2016-08-26 01:33 CEST, Len Lawrence 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-08-08 21:59:52 CEST 
Debian has issued an advisory on July 30:
https://www.debian.org/security/2016/dsa-3634

Mageia 5 is also affected.
David Walser 2016-08-08 22:00:00 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-08-12 00:14:25 CEST 
Patched packages submitted for Mageia 5 and Cauldron.

Side note to Colin, please make sure to put the subrel right above %mkrel and not at the top of the SPEC file.

Advisory:
========================

Updated redis package fixes security vulnerability:

It was discovered that redis did not properly protect redis-cli history files; they were created by default with world-readable permissions (CVE-2013-7458).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7458
https://www.debian.org/security/2016/dsa-3634
========================

Updated packages in core/updates_testing:
========================
redis-2.8.13-4.2.mga5

from redis-2.8.13-4.2.mga5.src.rpm

Version: Cauldron => 5
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 2 Len Lawrence 2016-08-26 01:30:00 CEST 
Testing on x86_64

Before update tried out redis, which was already installed.  There is an interactive tutorial online and you can see the attached sample.txt for a flavour of the commands.
The tutorial text can be fed to redis-cli like so:
$ redis-cli < tutorial

Once a session has been completed the security vulnerability is demonstrated by

$ ls -l  ~/.rediscli_history
-rw-r--r-- 1 lcl wireshark 108 Aug 26 00:08 .rediscli_history

showing that the history file is world readable.

Ran the update and removed the history file.
$ sudo systemctl restart redis.service
Ran the tutorial text through the command line interpreter again.
$ ls -l .rediscli_history
-rw------- 1 lcl wireshark 25 Aug 26 00:26 .rediscli_history

This can be flagged as OK for 64-bits.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2016-08-26 01:31:14 CEST 
Created attachment 8370 [details]
Session output for redis-cli
Len Lawrence 2016-08-26 01:32:08 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 4 Len Lawrence 2016-08-26 01:33:49 CEST 
Created attachment 8371 [details]
Raw commands for redis-cli - a small sample

Use 
$ redis-cli < tutorial
to see outputs for individual commands.
Comment 5 Len Lawrence 2016-08-26 01:42:13 CEST 
The output from the tutorial session looks a bit different if redis-cli is run interactively as it is meant to be, line by line.  The method suggested is just a lazy way to repeat things.
Comment 6 Len Lawrence 2016-08-26 23:08:10 CEST 
Validating this.  Adding it to the pile for sysadmins to push.  Thanks.
Len Lawrence 2016-08-26 23:08:23 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Rémi Verschelde 2016-08-31 19:17:49 CEST 
Advisory uploaded.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 8 Mageia Robot 2016-08-31 19:34:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0295.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.