redis: CVE-2013-7458: world-readable .rediscli_history file

Debian Bug report logs - #832460
redis: CVE-2013-7458: world-readable .rediscli_history file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: kpcyrd <kpcyrd@rxv.cc>

To: submit@bugs.debian.org

Subject: World readable .rediscli_history

Date: Mon, 25 Jul 2016 19:41:28 +0000

Package: redis-tools
Version: 2.8.17-1+deb8u3
Severity: grave
Tags: security

redis-cli stores its history in ~/.rediscli_history, this file is
created with permissions 0644. Home folders are world readable as well
in debian, so any user can access other users redis history, including
AUTH commands, which include credentials.

I've contacted upstream on 2016-05-30 without any reaction at all and
discovered this bug was first reported 3 years ago, still unfixed.
@RedisLabs keeps referring to their paid support on twitter.

Demo: `cat /home/*/.rediscli_history`

Message #10 received at 832460@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: kpcyrd <kpcyrd@rxv.cc>, 832460@bugs.debian.org

Subject: Re: Bug#832460: World readable .rediscli_history

Date: Mon, 25 Jul 2016 22:03:11 +0200

> I've contacted upstream on 2016-05-30 without any reaction at all and
> discovered this bug was first reported 3 years ago, still unfixed.
> @RedisLabs keeps referring to their paid support on twitter.

Boo. Is there an upstream bug# for this or was this reported privately?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #15 received at 832460@bugs.debian.org (full text, mbox, reply):

From: kpcyrd <kpcyrd@rxv.cc>

To: Chris Lamb <lamby@debian.org>

Cc: 832460@bugs.debian.org

Subject: Re: Bug#832460: World readable .rediscli_history

Date: Mon, 25 Jul 2016 20:31:02 +0000

> > I've contacted upstream on 2016-05-30 without any reaction at all and
> > discovered this bug was first reported 3 years ago, still unfixed.
> > @RedisLabs keeps referring to their paid support on twitter.
> 
> Boo. Is there an upstream bug# for this or was this reported privately?

My report:
https://github.com/antirez/redis/issues/3284

Patch by @denisvm:
https://github.com/antirez/redis/pull/3322

Another bug report by @denisvm, this time on the linenoise library:
https://github.com/antirez/linenoise/issues/121

Another patch by @denisvm:
https://github.com/antirez/linenoise/pull/122

Report + patch by @georgenicolaou, 2013 (discovered that today):
https://github.com/antirez/redis/pull/1418

Message #20 received at 832460@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: kpcyrd <kpcyrd@rxv.cc>, 832460@bugs.debian.org

Subject: Re: Bug#832460: World readable .rediscli_history

Date: Mon, 25 Jul 2016 23:16:53 +0200

> Another bug report by @denisvm, this time on the linenoise library:
> https://github.com/antirez/linenoise/issues/121

Indeed this looks like it might affect some other packages in Debian:

 https://codesearch.debian.net/search?q=int+linenoiseHistorySave&perpkg=1

Can you check these? I'm about to get on a flight and won't be able to
work on this for perhaps 24h.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #25 received at 832460@bugs.debian.org (full text, mbox, reply):

From: kpcyrd <kpcyrd@rxv.cc>

To: Chris Lamb <lamby@debian.org>

Cc: 832460@bugs.debian.org

Subject: Re: Bug#832460: World readable .rediscli_history

Date: Mon, 25 Jul 2016 22:05:58 +0000

> > Another bug report by @denisvm, this time on the linenoise library:
> > https://github.com/antirez/linenoise/issues/121
> 
> Indeed this looks like it might affect some other packages in Debian:
> 
>  https://codesearch.debian.net/search?q=int+linenoiseHistorySave&perpkg=1
> 
> Can you check these? I'm about to get on a flight and won't be able to
> work on this for perhaps 24h.

I can confirm the same bug is present in mongodb:

	cat /home/*/.dbshell

I'm looking into the other packages tomorrow.

Message #30 received at 832460-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 832460-close@bugs.debian.org

Subject: Bug#832460: fixed in redis 2:3.2.1-3

Date: Wed, 27 Jul 2016 04:23:15 +0000

Source: redis
Source-Version: 2:3.2.1-3

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832460@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Jul 2016 23:48:07 -0400
Source: redis
Binary: redis-server redis-tools redis-sentinel
Architecture: source
Version: 2:3.2.1-3
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 redis-sentinel - Persistent key-value database with network interface (monitoring)
 redis-server - Persistent key-value database with network interface
 redis-tools - Persistent key-value database with network interface (client)
Closes: 832460
Changes:
 redis (2:3.2.1-3) unstable; urgency=medium
 .
   * Avoid world_readable ~/.rediscli_history files. Thanks to kpcyrd
     <kpcyrd@rxv.cc>. (Closes: #832460)
Checksums-Sha1:
 38ada8348e62d96562d72965558e3e3b8dac5f98 1971 redis_3.2.1-3.dsc
 5a25dcd04cf073f675667243e29e34f212ff6d45 33740 redis_3.2.1-3.debian.tar.xz
Checksums-Sha256:
 a7503fea638391cae9574d569d90aecfb6766830fb3b7381a297c4d9e88ea957 1971 redis_3.2.1-3.dsc
 70575b74f4b906963f148de86ac866937cebd17c6e651887d5a1cfacc294479b 33740 redis_3.2.1-3.debian.tar.xz
Files:
 d104a8a77e70246326b98415d7d21b32 1971 database optional redis_3.2.1-3.dsc
 50a2c63e5c33d39866d82e0dd4d6e490 33740 database optional redis_3.2.1-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXmC+yAAoJEB6VPifUMR5Y/TkP/1WGQQp513NGhs8DAa9c4R0i
EiVW+d3ELdSd7bspteUqc9zUHjDUbk2I9VmU//MG3wl4cWePmFKp4LKWeN2iwASe
lbTOV7mQbaXNiVc1b0CaxWaVDt89a2OyIVWUrEtogSHOTumyaK808/V3dy8EQsy6
8BYf45s1C2vXQa0cCW5QbTTiJSILZFHWyjYgfYMAZnwB8v8w/d3+C8IycpCOFtqA
cNlVE+xuLSOlqAdw4EBXAMNbZa7n2s9ECOz5CRKTShpU53TyFeNyZQo2XyIMQ7Y3
sCEXUTgz1MmdMXP4yNqvpH7sULkUq1HEdDVd6bB5GsbsYzgFHRnIMc6fGh+hqQ+u
aOwXwmUTZsBiFTTB7R0jJQGLRgpGwlSkxsLqQRzU6klvWPld3ECyxjkgWZdUYNgs
imKIhClTbDLcjBNwiYtxGE4xiPzm8dMPL9qqovG5miTj4AndMcKINkyQgfGBGjfg
msl9qlQ+GiQA+zIn6gyhVgJIYcXYgNxUkCWhxBhhyUTBV7Yec6t+YoyPGioc73V0
T0lvXCqx42Y7SULhZ2YealQfrRW3xFIBCzLRd6uLg4ltqCeNiN8OIUOYWxlqGO8U
SpXSih7UbLPjKJdLHQ0JFJRAW/ZRBTRrgc8zE59Hi9OhDCxVZCDcH5szh4P/gN1K
CRAULkCk5t9xBZ6fiiAf
=yMFp
-----END PGP SIGNATURE-----

Message #45 received at 832460-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 832460-close@bugs.debian.org

Subject: Bug#832460: fixed in redis 2:3.2.1-4

Date: Thu, 28 Jul 2016 12:48:47 +0000

Source: redis
Source-Version: 2:3.2.1-4

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832460@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 28 Jul 2016 08:35:50 -0400
Source: redis
Binary: redis-server redis-tools redis-sentinel
Architecture: source
Version: 2:3.2.1-4
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 redis-sentinel - Persistent key-value database with network interface (monitoring)
 redis-server - Persistent key-value database with network interface
 redis-tools - Persistent key-value database with network interface (client)
Closes: 832460
Changes:
 redis (2:3.2.1-4) unstable; urgency=high
 .
   * Avoid race condition by setting and resetting umask(2) when
     writing to ~/.rediscli_history. (Closes: #832460)
   * Skip replication tests with timing issues.
Checksums-Sha1:
 f328c435ea1f62a00d8130ee654143a1ae50d93a 1971 redis_3.2.1-4.dsc
 50ac4d394e755d81834a7e9343eff056a85efa89 33964 redis_3.2.1-4.debian.tar.xz
Checksums-Sha256:
 9bf899daa3c96a0666057b8c64a7b31d97510193756a478ae21559778f620dbb 1971 redis_3.2.1-4.dsc
 fcb60f441491355bf8b2e79d28141b2757b98a085198d75c48086d8e97699941 33964 redis_3.2.1-4.debian.tar.xz
Files:
 d103749dd94ac86a358ae94cae7065e7 1971 database optional redis_3.2.1-4.dsc
 cfb4afddaa151a5dde17c6a7878587d5 33964 database optional redis_3.2.1-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXmfxZAAoJEB6VPifUMR5YYpwP/0tB0+OTxxIsOf2SA7gYrzmk
uDHFEyyh0izXu1TFwQR9Ihv7q7Tqb8jQzIYDfDAnB/u9bci6JLJcVxER/GYDhZXK
qFxTIwyJC/5OMAJHypaeasQib+tuwvtWwl8CHPb9qoHUCApNw5yvAUdwQqHmwRNR
ju0eKcTXaEbaXL2WZ6kznmI0wqPCDSL8uotKbofvx/Ty5amjbLSsXltNae1IfYOp
/RlAwI4yyYBXflM+Gon1l02Qg4n8uHmgAz1+CUuGE4noA6BOBIjAxDIRbor+vkWx
uy4bvYmogajRdFbQxIdZ0a5Rw3yb4/xb9QvSBssth5rjSwQoQ6ogJS4mMZRsbGmh
obGvYwRUqB/xD5VZN5kCT/hGKU01zz5UblaihS106RegOqfLZBhsCV26itn4wA+l
Xjk5pWOiylRtxSpqkYHPrOIT5CJhe5pWgPeIeVc94dJyshw/RVSTG2LITg0W0IAm
omf2E7YMioPRTX7wqiZ4+HRujaqY8zNsb7ms3ARFBXm5tKHoMwKUi4P1XrqYFFA8
gSwVY/svsYGfULNm8HCMLIqbpW3sxCsKZZ8uxawRK6VSz0KJn0OawXuOiJS3AEZ9
sRlEVa0moRM0wg2WUei/CbmVg/84NHn9Vt9qlwzVeHnX5vCbt4azmDMRwosYODyg
EvDxIVG/oJB1PaYWZNAu
=HtaL
-----END PGP SIGNATURE-----

Message #52 received at 832460-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 832460-close@bugs.debian.org

Subject: Bug#832460: fixed in redis 2:2.8.17-1+deb8u4

Date: Sat, 06 Aug 2016 21:37:55 +0000

Source: redis
Source-Version: 2:2.8.17-1+deb8u4

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832460@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 28 Jul 2016 08:53:56 -0400
Source: redis
Binary: redis-server redis-tools
Architecture: source
Version: 2:2.8.17-1+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 redis-server - Persistent key-value database with network interface
 redis-tools - Persistent key-value database with network interface (client)
Closes: 832460
Changes:
 redis (2:2.8.17-1+deb8u4) jessie-security; urgency=high
 .
   * Avoid world_readable ~/.rediscli_history files. Thanks to kpcyrd
     <kpcyrd@rxv.cc>. (Closes: #832460)
Checksums-Sha1:
 be29f3f9b97e40b28105be2f8db4fbaade5d2301 1910 redis_2.8.17-1+deb8u4.dsc
 e3a49a3d92394e9fced7d9e092663d6b8fcd08a6 23404 redis_2.8.17-1+deb8u4.debian.tar.xz
Checksums-Sha256:
 a0b253a02cc8a32ff1db46152d5d943eb03512a3e4ff066819716c44454a434f 1910 redis_2.8.17-1+deb8u4.dsc
 01bcb8231f7d8a681b05dab20e13c5ae572b25c373057466993078a66191ae43 23404 redis_2.8.17-1+deb8u4.debian.tar.xz
Files:
 d842da9bfe7093577de8394787eaf5f2 1910 database optional redis_2.8.17-1+deb8u4.dsc
 9ff297757ad0a13cfd7c13915a3a623a 23404 database optional redis_2.8.17-1+deb8u4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXmgFBAAoJEB6VPifUMR5Y+X0QAJSvG0r3Wl4/kKYtgVcK5lnO
C4cEw8lJ3VFvJ2HF2oQKLDy2ivWQKPYl4YJ9TVZoDdNJ+peWkDA9ZFkmpPlZSAeY
baGoela+301Trfe5XeQBMzm306uM/94jXi/RR6TmOErBGZgWtT2H49DvCZwSPmw4
bpSsYWE7kQ426ACYflFAbLtJ8lzTlF6L3WLCdpumfdDMJfHlElvY7RQgPfuDXgYz
K1LJy5Qy9sDTf/mEiaiG82b87lb9UnKeRRBgs3LQei5CwP0QR7r5t1m7um+V4gsQ
4uqVbu47QP3+MP3bggackVo2XUeo7pzj3lO0nbCojCEMg0aPxSG1es274gcoS8lw
fJOTJQGoO3ldp0XTlJZPCmJR5rds0GAzlna0OUeO/jpwd/18Y1FDKg4bA4i7bAuL
+veU9AMye6mE8evU2ww3W9bz1fDwz9/Fumolx+QhYs6rL/ASUf3qSc3aICDfzbh4
fc9gIasTm/q7q3cjMhKatqidWQe4OU/fLb2TMxH8HIfZ21rAImzbT1TipAyyupW7
vlZlfjpQp2t9iHxm1gCJkI1Rb5DqRkFUhOx9yDyrvUgrFSuB0BaBiwyNyC4RvDhr
+tgZVKCoN5+FkweLUXK77PXpec5trvJlIhz+eUeKaPQvUVCMNG4BBowutoWs75Up
mMTpCu7EjLmSx+gQyajY
=EzG0
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.