Bug 29552 - redis new security issues CVE-2021-3262[6-8] CVE-2021-3267[25] CVE-2021-32687 CVE-2021-32762 CVE-2021-41099
Summary: redis new security issues CVE-2021-3262[6-8] CVE-2021-3267[25] CVE-2021-32687...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-10-13 15:44 CEST by David Walser
Modified: 2021-10-15 01:26 CEST (History)
4 users (show)

See Also:
Source RPM: redis-6.0.15-1.mga8.src.rpm
CVE:
Status comment:


Attachments

David Walser 2021-10-13 15:44:28 CEST

Status comment: (none) => Fixed upstream in 6.0.16
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29549
Version: Cauldron => 8

David Walser 2021-10-13 22:33:54 CEST

CC: (none) => smelror

Comment 2 David Walser 2021-10-13 22:35:08 CEST
Please include a real advisory (you can get descriptions of the security issues from the RedHat bugs), and remember to leave yourself in CC when assigning to QA.

Status comment: Fixed upstream in 6.0.16 => (none)

Comment 3 Len Lawrence 2021-10-14 18:03:20 CEST
@Stig, apropos of comment 2 and Dave Hodgins attempts to encourage QA testers to become more involved in the advisory side I am willing to try to give you a hand in this provided somebody with more experience approves the text.  My SVN commit rights don't seem to work though.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2021-10-14 18:51:23 CEST
$ rpm -q redis
package redis is not installed
Installed it.
(medium "Core Release")
  lib64jemalloc2                 5.2.1        3.mga8        x86_64  
(medium "Core Updates")
  redis                          6.0.15       1.mga8        x86_64  

Started redis service and checked redis-cli with earlier tutorial script.
https://bugs.mageia.org/show_bug.cgi?id=24042
$ redis-cli
127.0.0.1:6379> get server:name
(nil)
127.0.0.1:6379> exit
$ redis-cli < tutorial
........
$ redis-cli
127.0.0.1:6379> get server:name
"rapunzel"
....

Clean update with qarepo.
$ rpm -q redis
redis-6.0.16-1.mga8
$ sudo systemctl restart redis
$ redis-cli < tutorial
OK
"rapunzel"
OK
(integer) 8
(integer) 9
"9"
(integer) 1
(integer) 1
OK
(integer) 1
(integer) 40
(integer) 40
(integer) 40
OK
(integer) 4
(integer) 5
(integer) 6
1) "Polly"
2) "Polly"
3) "Sukie"
.....

Expected output, no regressions.
$ urpmq --whatrequires redis | uniq
ntopng

Installed ntopng.
$ su -
Password: 
# ntopng -i eno1
# strace -o ntopng.trace ntopng -i eno1
14/Oct/2021 17:34:48 [Ntop.cpp:2336] Setting local networks to 127.0.0.0/8,fe80::/10
14/Oct/2021 17:34:48 [Redis.cpp:157] Successfully connected to redis 127.0.0.1:6379@0
14/Oct/2021 17:34:48 [Redis.cpp:157] Successfully connected to redis 127.0.0.1:6379@0
...........
14/Oct/2021 17:34:54 [NetworkInterface.cpp:1701] WARNING: If you have TSO/GRO enabled, please disable it
14/Oct/2021 17:34:54 [NetworkInterface.cpp:1703] WARNING: Use sudo ethtool -K eno1 gro off gso off tso off
^C
14/Oct/2021 17:36:52 [main.cpp:50] Shutting down...
14/Oct/2021 17:36:52 [PcapInterface.cpp:336] Terminated packet polling for eno1
14/Oct/2021 17:36:52 [NetworkInterface.cpp:2621] Flow dump thread completed for eno1
14/Oct/2021 17:36:55 [Ntop.cpp:2540] Terminating periodic activities
...........
14/Oct/2021 17:36:57 [NetworkInterface.cpp:544] Flushing host contacts for interface eno1
14/Oct/2021 17:36:57 [NetworkInterface.cpp:2778] Cleanup interface eno1
14/Oct/2021 17:36:57 [AddressResolution.cpp:63] Address resolution stats [7 resolved][2 failures]

# grep redis ntopng.trace | wc -l
92

Most of the entries were similar to this:
openat(AT_FDCWD, "/var/lib/ntopng/plugins0/ts_schemas/redis_monitor", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 23

These superficial tests work so this gets an OK.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2021-10-14 22:17:43 CEST
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 David Walser 2021-10-14 22:24:53 CEST
(In reply to Len Lawrence from comment #3)
> @Stig, apropos of comment 2 and Dave Hodgins attempts to encourage QA
> testers to become more involved in the advisory side I am willing to try to
> give you a hand in this provided somebody with more experience approves the
> text.  My SVN commit rights don't seem to work though.

Len, this isn't what Dave was talking about.  Dave was talking about commiting the advisories to SVN.  Before you can do that, we have to *have* an advisory to commit, which we don't, and the packager is supposed to provide that.
Comment 7 Stig-Ørjan Smelror 2021-10-14 22:58:07 CEST
Advisory
========

Redis has been updated to fix several security issues.

CVE-2021-32626: Specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution.
CVE-2021-32627: An integer overflow bug in Redis 5.0 or newer can be exploited to corrupt the heap and potentially result with remote code execution.
CVE-2021-32628: An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution.
CVE-2021-32672: When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer.
CVE-2021-32675: When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header).
CVE-2021-32687: An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution.
CVE-2021-32762: The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies.
CVE-2021-41099: An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32675
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41099

Files
=====

Uploaded to core/updates_testing

redis-6.0.16-1.mga8

from redis-6.0.16-1.mga8.src.rpm
Comment 8 David Walser 2021-10-14 23:00:18 CEST
Thanks.  The first Fedora advisory from Comment 0 can be included in the references.
Comment 9 Len Lawrence 2021-10-15 01:26:44 CEST
@David regarding comment 6.  Thanks for the clarification - saved me some work.

Note You need to log in before you can comment on or make changes to this bug.