* [Buildroot] [PATCH 2020.02.x] package/redis: security bump to version 5.0.11 (CVE-2021-21309)
@ 2021-03-09 11:23 Thomas De Schampheleire
2021-03-09 12:22 ` Titouan Christophe
2021-03-13 16:06 ` Peter Korsgaard
0 siblings, 2 replies; 4+ messages in thread
From: Thomas De Schampheleire @ 2021-03-09 11:23 UTC (permalink / raw)
To: buildroot
From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
References:
https://github.com/redis/redis/security/advisories/GHSA-hgj8-vff2-7cjf
https://nvd.nist.gov/vuln/detail/CVE-2021-21309
"Impact:
An integer overflow bug in 32-bit Redis version 4.0 or newer could be
exploited to corrupt the heap and potentially result with remote code
execution.
Redis 4.0 or newer uses a configurable limit for the maximum supported
bulk input size. By default, it is 512MB which is a safe value for all
platforms.
If the limit is significantly increased, receiving a large request from
a client may trigger several integer overflow scenarios, which would
result with buffer overflow and heap corruption. We believe this could
in certain conditions be exploited for remote code execution.
By default, authenticated Redis users have access to all configuration
parameters and can therefore use the ?CONFIG SET proto-max-bulk-len? to
change the safe default, making the system vulnerable.
This problem only affects 32-bit Redis (on a 32-bit system, or as a
32-bit executable running on a 64-bit system).
Patches
The problem is fixed in version 6.2, and the fix is back ported to
6.0.11 and 5.0.11. Make sure you use one of these versions if you're
running 32-bit Redis.
"
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
NOTE: this only applies to 2020.02.x.
- For 2020.11.x a bump to 6.0.11 or later is needed (e.g. backport commit cbd5f7e3a9331).
- For 2021.02, 6.0.12 is used which already contains the fix.
package/redis/redis.hash | 2 +-
package/redis/redis.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/redis/redis.hash b/package/redis/redis.hash
index 73e28fac0d..9904736502 100644
--- a/package/redis/redis.hash
+++ b/package/redis/redis.hash
@@ -1,5 +1,5 @@
# From https://github.com/antirez/redis-hashes/blob/master/README
-sha256 e30a5e7d1593a715cdda2a82deb90190816d06c9d1dc1ef5b36874878c683382 redis-5.0.10.tar.gz
+sha256 418135c453a94aac24c24243b041fb978fcc3ea4e1e1f996c1d64b16ae6ac1aa redis-5.0.11.tar.gz
# Locally calculated
sha256 cbf420a3672475a6e2765e3c0984c1f81efe0212afb94a3c998ee63bfd661063 COPYING
diff --git a/package/redis/redis.mk b/package/redis/redis.mk
index 5ab1d34fd2..eaf0521f2f 100644
--- a/package/redis/redis.mk
+++ b/package/redis/redis.mk
@@ -4,7 +4,7 @@
#
################################################################################
-REDIS_VERSION = 5.0.10
+REDIS_VERSION = 5.0.11
REDIS_SITE = http://download.redis.io/releases
REDIS_LICENSE = BSD-3-Clause (core); MIT and BSD family licenses (Bundled components)
REDIS_LICENSE_FILES = COPYING
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 2020.02.x] package/redis: security bump to version 5.0.11 (CVE-2021-21309)
2021-03-09 11:23 [Buildroot] [PATCH 2020.02.x] package/redis: security bump to version 5.0.11 (CVE-2021-21309) Thomas De Schampheleire
@ 2021-03-09 12:22 ` Titouan Christophe
2021-03-13 16:06 ` Peter Korsgaard
1 sibling, 0 replies; 4+ messages in thread
From: Titouan Christophe @ 2021-03-09 12:22 UTC (permalink / raw)
To: buildroot
Hello Thomas,
Thank you for taking care of 2020.2.x, didn't think of that one.
However, this does not build properly on non-glibc systems:
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: SKIPPED
br-x86-64-musl [4/6]: FAILED
br-arm-full-static [5/6]: SKIPPED
sourcery-arm [6/6]: OK
6 builds, 2 skipped, 1 build failed, 0 legal-info failed
The problem has been resolved in Redis 5.0.12 (and 6.0.12, 6.2.1) (see
https://raw.githubusercontent.com/redis/redis/5.0/00-RELEASENOTES),
would you use this version instead ?
Best regards,
Titouan
On 9/03/21 12:23, Thomas De Schampheleire wrote:
> From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
>
> References:
> https://github.com/redis/redis/security/advisories/GHSA-hgj8-vff2-7cjf
> https://nvd.nist.gov/vuln/detail/CVE-2021-21309
>
> "Impact:
>
> An integer overflow bug in 32-bit Redis version 4.0 or newer could be
> exploited to corrupt the heap and potentially result with remote code
> execution.
>
> Redis 4.0 or newer uses a configurable limit for the maximum supported
> bulk input size. By default, it is 512MB which is a safe value for all
> platforms.
>
> If the limit is significantly increased, receiving a large request from
> a client may trigger several integer overflow scenarios, which would
> result with buffer overflow and heap corruption. We believe this could
> in certain conditions be exploited for remote code execution.
>
> By default, authenticated Redis users have access to all configuration
> parameters and can therefore use the ?CONFIG SET proto-max-bulk-len? to
> change the safe default, making the system vulnerable.
>
> This problem only affects 32-bit Redis (on a 32-bit system, or as a
> 32-bit executable running on a 64-bit system).
>
> Patches
>
> The problem is fixed in version 6.2, and the fix is back ported to
> 6.0.11 and 5.0.11. Make sure you use one of these versions if you're
> running 32-bit Redis.
> "
>
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> ---
>
> NOTE: this only applies to 2020.02.x.
> - For 2020.11.x a bump to 6.0.11 or later is needed (e.g. backport commit cbd5f7e3a9331).
> - For 2021.02, 6.0.12 is used which already contains the fix.
>
>
> package/redis/redis.hash | 2 +-
> package/redis/redis.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/redis/redis.hash b/package/redis/redis.hash
> index 73e28fac0d..9904736502 100644
> --- a/package/redis/redis.hash
> +++ b/package/redis/redis.hash
> @@ -1,5 +1,5 @@
> # From https://github.com/antirez/redis-hashes/blob/master/README
> -sha256 e30a5e7d1593a715cdda2a82deb90190816d06c9d1dc1ef5b36874878c683382 redis-5.0.10.tar.gz
> +sha256 418135c453a94aac24c24243b041fb978fcc3ea4e1e1f996c1d64b16ae6ac1aa redis-5.0.11.tar.gz
>
> # Locally calculated
> sha256 cbf420a3672475a6e2765e3c0984c1f81efe0212afb94a3c998ee63bfd661063 COPYING
> diff --git a/package/redis/redis.mk b/package/redis/redis.mk
> index 5ab1d34fd2..eaf0521f2f 100644
> --- a/package/redis/redis.mk
> +++ b/package/redis/redis.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -REDIS_VERSION = 5.0.10
> +REDIS_VERSION = 5.0.11
> REDIS_SITE = http://download.redis.io/releases
> REDIS_LICENSE = BSD-3-Clause (core); MIT and BSD family licenses (Bundled components)
> REDIS_LICENSE_FILES = COPYING
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 2020.02.x] package/redis: security bump to version 5.0.11 (CVE-2021-21309)
2021-03-09 11:23 [Buildroot] [PATCH 2020.02.x] package/redis: security bump to version 5.0.11 (CVE-2021-21309) Thomas De Schampheleire
2021-03-09 12:22 ` Titouan Christophe
@ 2021-03-13 16:06 ` Peter Korsgaard
2021-03-13 18:24 ` Thomas De Schampheleire
1 sibling, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2021-03-13 16:06 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com> writes:
> From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> References:
> https://github.com/redis/redis/security/advisories/GHSA-hgj8-vff2-7cjf
> https://nvd.nist.gov/vuln/detail/CVE-2021-21309
> "Impact:
> An integer overflow bug in 32-bit Redis version 4.0 or newer could be
> exploited to corrupt the heap and potentially result with remote code
> execution.
> Redis 4.0 or newer uses a configurable limit for the maximum supported
> bulk input size. By default, it is 512MB which is a safe value for all
> platforms.
> If the limit is significantly increased, receiving a large request from
> a client may trigger several integer overflow scenarios, which would
> result with buffer overflow and heap corruption. We believe this could
> in certain conditions be exploited for remote code execution.
> By default, authenticated Redis users have access to all configuration
> parameters and can therefore use the ?CONFIG SET proto-max-bulk-len? to
> change the safe default, making the system vulnerable.
> This problem only affects 32-bit Redis (on a 32-bit system, or as a
> 32-bit executable running on a 64-bit system).
> Patches
> The problem is fixed in version 6.2, and the fix is back ported to
> 6.0.11 and 5.0.11. Make sure you use one of these versions if you're
> running 32-bit Redis.
> "
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> ---
> NOTE: this only applies to 2020.02.x.
> - For 2020.11.x a bump to 6.0.11 or later is needed (e.g. backport commit cbd5f7e3a9331).
> - For 2021.02, 6.0.12 is used which already contains the fix.
Committed to 2020.02.x after updating to 5.0.12 as pointed out by
Titouan, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 2020.02.x] package/redis: security bump to version 5.0.11 (CVE-2021-21309)
2021-03-13 16:06 ` Peter Korsgaard
@ 2021-03-13 18:24 ` Thomas De Schampheleire
0 siblings, 0 replies; 4+ messages in thread
From: Thomas De Schampheleire @ 2021-03-13 18:24 UTC (permalink / raw)
To: buildroot
On Sat, Mar 13, 2021, 17:06 Peter Korsgaard <peter@korsgaard.com> wrote:
> >>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com>
> writes:
>
> > From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> > References:
> > https://github.com/redis/redis/security/advisories/GHSA-hgj8-vff2-7cjf
> > https://nvd.nist.gov/vuln/detail/CVE-2021-21309
>
> > "Impact:
>
> > An integer overflow bug in 32-bit Redis version 4.0 or newer could
> be
> > exploited to corrupt the heap and potentially result with remote
> code
> > execution.
>
> > Redis 4.0 or newer uses a configurable limit for the maximum
> supported
> > bulk input size. By default, it is 512MB which is a safe value for
> all
> > platforms.
>
> > If the limit is significantly increased, receiving a large request
> from
> > a client may trigger several integer overflow scenarios, which would
> > result with buffer overflow and heap corruption. We believe this
> could
> > in certain conditions be exploited for remote code execution.
>
> > By default, authenticated Redis users have access to all
> configuration
> > parameters and can therefore use the ?CONFIG SET
> proto-max-bulk-len? to
> > change the safe default, making the system vulnerable.
>
> > This problem only affects 32-bit Redis (on a 32-bit system, or as a
> > 32-bit executable running on a 64-bit system).
>
> > Patches
>
> > The problem is fixed in version 6.2, and the fix is back ported to
> > 6.0.11 and 5.0.11. Make sure you use one of these versions if you're
> > running 32-bit Redis.
> > "
>
> > Signed-off-by: Thomas De Schampheleire <
> thomas.de_schampheleire at nokia.com>
> > ---
>
> > NOTE: this only applies to 2020.02.x.
> > - For 2020.11.x a bump to 6.0.11 or later is needed (e.g. backport
> commit cbd5f7e3a9331).
> > - For 2021.02, 6.0.12 is used which already contains the fix.
>
> Committed to 2020.02.x after updating to 5.0.12 as pointed out by
> Titouan, thanks.
>
Thanks Peter and Titouan, and sorry for not having responded yet!
Best regards
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20210313/09b360c6/attachment.html>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-13 18:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-09 11:23 [Buildroot] [PATCH 2020.02.x] package/redis: security bump to version 5.0.11 (CVE-2021-21309) Thomas De Schampheleire
2021-03-09 12:22 ` Titouan Christophe
2021-03-13 16:06 ` Peter Korsgaard
2021-03-13 18:24 ` Thomas De Schampheleire
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.