[Bug 1191331] New: VUL-0: CVE-2021-32765: hiredis: integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 Bug ID: 1191331 Summary: VUL-0: CVE-2021-32765: hiredis: integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other URL: https://smash.suse.de/issue/311708/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem Assignee: screening-team-bugs@suse.de Reporter: abergmann@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2021-32765 Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Users of hiredis who are unable to update may set the [maxelements](https://github.com/redis/hiredis#reader-max-array-elements) context option to a value small enough that no overflow is possible. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32765 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32765 https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2 https://github.com/redis/hiredis/commit/76a7b10005c70babee357a7d0f2becf28ec7... https://wiki.sei.cmu.edu/confluence/display/c/MEM07-C.+Ensure+that+the+argum... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Andreas.Stieger@gmx.de Assignee|screening-team-bugs@suse.de |pafee@tycoint.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 Paul Fee <pafee@tycoint.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 http://bugzilla.opensuse.org/show_bug.cgi?id=1191331#c1 --- Comment #1 from Andreas Stieger <Andreas.Stieger@gmx.de> --- https://build.opensuse.org/request/show/923651 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 http://bugzilla.opensuse.org/show_bug.cgi?id=1191331#c2 --- Comment #2 from Paul Fee <pafee@tycoint.com> --- https://build.opensuse.org/request/show/924120 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 http://bugzilla.opensuse.org/show_bug.cgi?id=1191331#c3 Paul Fee <pafee@tycoint.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #3 from Paul Fee <pafee@tycoint.com> --- Fixed in hiredis v1.0.2, which is available for openSUSE Tumbleweed. Leap 15.3 ships with hiredis 0.13.3, the fix is not available for that version of hiredis. The server:database repo contains hiredis 1.0.2 built for Leap 15.2. https://software.opensuse.org/package/hiredis -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 http://bugzilla.opensuse.org/show_bug.cgi?id=1191331#c4 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #4 from Andreas Stieger <Andreas.Stieger@gmx.de> --- (In reply to Paul Fee from comment #3)
Leap 15.3 ships with hiredis 0.13.3, the fix is not available for that version of hiredis.
This is not in line with our security maintenance policy. Create a backport against 0.13.3. Do not close the issue but re-assign to security-team@suse.de when you are done. Set a needinfo request on them if unable. Here is the debian backport to help you get started: https://lists.debian.org/debian-lts-announce/2021/10/msg00007.html https://salsa.debian.org/lamby/pkg-hiredis/-/commit/e210141d449659042f00fad7... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 http://bugzilla.opensuse.org/show_bug.cgi?id=1191331#c5 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |IN_PROGRESS --- Comment #5 from Andreas Stieger <Andreas.Stieger@gmx.de> --- proposed maintenance update: https://build.opensuse.org/request/show/933345 Paul please review and accept the review on the request. Then re-assign bug to security-team@suse.de for processing. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 http://bugzilla.opensuse.org/show_bug.cgi?id=1191331#c6 --- Comment #6 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1191331) was mentioned in https://build.opensuse.org/request/show/933347 15.2+Backports:SLE-15-SP3 / hiredis -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 http://bugzilla.opensuse.org/show_bug.cgi?id=1191331#c7 Paul Fee <pafee@tycoint.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|pafee@tycoint.com |security-team@suse.de --- Comment #7 from Paul Fee <pafee@tycoint.com> --- https://build.opensuse.org/request/show/933347 Accepted. Assigning to security-team@suse.de as requested by Andreas. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1191331 http://bugzilla.opensuse.org/show_bug.cgi?id=1191331#c10 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #10 from Andreas Stieger <Andreas.Stieger@gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com