Bug ID 991250
Summary VUL-0: CVE-2013-7458: redis: World readable .rediscli_history
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.1
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter astieger@suse.com
QA Contact qa-bugs@suse.de
CC kstreitova@suse.com, lars.vogdt@microfocus.com, michal.hrusecky@opensuse.org, mpluskal@suse.com, mrueckert@suse.com, mseben@gmail.com, nix@opensuse.org, pth@suse.com
Found By Security Response Team
Blocker --- 

http://seclists.org/oss-sec/2016/q3/189

    https://bugs.debian.org/832460


        redis-cli stores its history in ~/.rediscli_history, this file is
        created with permissions 0644. Home folders are world readable as well
        in debian, so any user can access other users' redis history, including
        AUTH commands, which include credentials.

        I've contacted upstream on 2016-05-30 without any reaction at all and
        discovered this bug was first reported 3 years ago, still unfixed.
        @RedisLabs keeps referring to their paid support on twitter.

        Demo: `cat /home/*/.rediscli_history`


    Upstream report: https://github.com/antirez/redis/issues/3284


            https://github.com/antirez/redis/pull/3322
            https://github.com/antirez/redis/pull/1418



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7458
http://seclists.org/oss-sec/2016/q3/189
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7458.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460

You are receiving this mail because: