redis: CVE-2023-36824: Heap overflow in COMMAND GETKEYS and ACL evaluation

Debian Bug report logs - #1040879
redis: CVE-2023-36824: Heap overflow in COMMAND GETKEYS and ACL evaluation

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: redis: CVE-2023-36824: Heap overflow in COMMAND GETKEYS and ACL evaluation

Date: Tue, 11 Jul 2023 22:49:11 +0200

Source: redis
Version: 5:7.0.11-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for redis.

CVE-2023-36824[0]:
| Redis is an in-memory database that persists on disk. In Redit 7.0
| prior to 7.0.12, extracting key names from a command and a list of
| arguments may, in some cases, trigger a heap overflow and result in
| reading random heap memory, heap corruption and potentially remote
| code execution. Several scenarios that may lead to authenticated
| users executing a specially crafted `COMMAND GETKEYS` or `COMMAND
| GETKEYSANDFLAGS`and authenticated users who were set with ACL rules
| that match key names, executing a specially crafted command that
| refers to a variadic list of key names. The vulnerability is patched
| in Redis 7.0.12.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-36824
    https://www.cve.org/CVERecord?id=CVE-2023-36824
[1] https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3

Regards,
Salvatore

Message #10 received at 1040879-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1040879-close@bugs.debian.org

Subject: Bug#1040879: fixed in redis 5:7.0.12-1

Date: Wed, 12 Jul 2023 09:20:45 +0000

Source: redis
Source-Version: 5:7.0.12-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1040879@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 12 Jul 2023 10:07:09 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.12-1
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1040879
Changes:
 redis (5:7.0.12-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2022-24834: A specially-crafted Lua script executing in Redis could
       have triggered a heap overflow in the cjson and cmsgpack libraries and
       result in heap corruption and potentially remote code execution. The
       problem exists in all versions of Redis with Lua scripting support and
       affects only authenticated/authorised users.
 .
     - CVE-2023-36824: Extracting key names from a command and a list of
       arguments may, in some cases, have triggered a heap overflow and result
       in reading random heap memory, heap corruption and potentially remote
       code execution. (Specifically using COMMAND GETKEYS* and validation of
       key names in ACL rules). (Closes: #1040879)
 .
     For more information, please see:
 .
       <https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES>
Checksums-Sha1:
 cbdc088ee6756cbd2a3ad0f733e8585b2729ea8f 2273 redis_7.0.12-1.dsc
 8501fb1a782fd3050ef914763964ef123228a794 3023189 redis_7.0.12.orig.tar.gz
 4a808c73c1c7f20d29e5d1ae80e844d04d4683cf 28592 redis_7.0.12-1.debian.tar.xz
 216db95f9609f82497b019a88dae15d057a92d40 7474 redis_7.0.12-1_amd64.buildinfo
Checksums-Sha256:
 e011831d24088b9d946cbe0e9422663adbf52197d51293fb00b55f01d8a073f9 2273 redis_7.0.12-1.dsc
 13d4689454e29e7b9f1161b544e6d08b0ddd27d057859fde7b1916869b3bf701 3023189 redis_7.0.12.orig.tar.gz
 dd8db40f47f60e78514166de827f1e6802c7eaa181f4da17f2eeac743f4bc8b9 28592 redis_7.0.12-1.debian.tar.xz
 990f2694dc3788fb7d1671e2b2598f85fdc5cf443df2ac49bfbe520e7e7c9e42 7474 redis_7.0.12-1_amd64.buildinfo
Files:
 c66d1c9beac34f026b96491132c25fd7 2273 database optional redis_7.0.12-1.dsc
 4a51b64a7d2ec7b71aef4c972f116e0c 3023189 database optional redis_7.0.12.orig.tar.gz
 ae25676f4760b2f2b67150f8211b18a4 28592 database optional redis_7.0.12-1.debian.tar.xz
 14e133e60374683238be9db7e877b0c8 7474 database optional redis_7.0.12-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmSubhoACgkQHpU+J9Qx
HlgcaQ//Yc3UbmB+ZDkkk3p0TZfV8TIjxeN5uJEKa/K5jTOrL8MmTBE7wvJQWtnm
2uwK8c0lWvNBglko2UVKBMycajfBYNYXitMrHy5WnpM30Hlf1Eu1iscsn/j+mrGW
UN/uRPBkTW8zZFVUl1w0yk6BZduUiymf2RS8e9lFmQcXBrpavj8BayfS9FP9n2+o
8bVSG0d0r1SIOw7ECTm7KxThwmILpRT1ZA+EUJlHZH3xNgW8GqW39eFMLfTZUL3J
qusIxfhUWwFGgbXHGvFpq9P0oTGdTpC66DFdGfX8zMcH4MfQks1lwAUIvLIxzKh4
aXADd5DSgfZMeMiSJLBnM2AFnl/tcgSa/13KS+iTtHYl+etNulcjHvOTy9opsWoF
lXpVTcw62tCUlOnU++u4PUDygC80p1SftAeEp5ltKjgMQdmM1PR13+FFRuMkg/h8
GRqtXQYtCwRKE9zrhjX2+5TD1nmRYGkQ1l551gDGLAdVNyItc4ZoTofmeITBk5p1
+3UxNhJBi4CxrcFSDL7A7Y0rihpL7ylzcxlKvdmksq26dIrBMDQTDk3ef9Y63CLm
G0J+dE3dBzRYKKflVmNotmTvkwg6+XLiihbYGLYb6D+A5dGnAojWgyO1K3+V/iN5
E5JHMvWIOBQ6cpeBl959aHBqa9c+L4NDOpSjOMFn5lnu9JB+eRg=
=S9h9
-----END PGP SIGNATURE-----

Message #15 received at 1040879-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1040879-close@bugs.debian.org

Subject: Bug#1040879: fixed in redis 5:7.2-rc3-1

Date: Wed, 12 Jul 2023 09:21:01 +0000

Source: redis
Source-Version: 5:7.2-rc3-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1040879@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 12 Jul 2023 09:57:10 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.2-rc3-1
Distribution: experimental
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1040879
Changes:
 redis (5:7.2-rc3-1) experimental; urgency=high
 .
   * New upstream security release.
     <https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES>
 .
     - CVE-2022-24834: A specially-crafted Lua script executing in Redis could
       have triggered a heap overflow in the cjson and cmsgpack libraries and
       result in heap corruption and potentially remote code execution. The
       problem exists in all versions of Redis with Lua scripting support and
       affects only authenticated/authorised users.
 .
     - CVE-2023-36824: Extracting key names from a command and a list of
       arguments may, in some cases, have triggered a heap overflow and result
       in reading random heap memory, heap corruption and potentially remote
       code execution. (Specifically using COMMAND GETKEYS* and validation of
       key names in ACL rules). (Closes: #1040879)
 .
   * Refresh patches
Checksums-Sha1:
 b63d6087c49c6e79b562c946a5c2af6aa9d85ca4 2245 redis_7.2-rc3-1.dsc
 a52b4341b11246b6938ee71d59c2f50b78e112cb 3417862 redis_7.2-rc3.orig.tar.gz
 177e7fb946b1a8b41fd3e2382526d4084689894a 28528 redis_7.2-rc3-1.debian.tar.xz
 a2757732e612dc716a34c7ca3077238a296443c7 7496 redis_7.2-rc3-1_amd64.buildinfo
Checksums-Sha256:
 b4ec260b2f5d47b39bf2a471a8471f6a4b09e7f98f1620a8eb64e90d74a1a312 2245 redis_7.2-rc3-1.dsc
 d4e116a7c968442523c00c20c65bc541ae8974964f340dbe07993e39e3fd48ef 3417862 redis_7.2-rc3.orig.tar.gz
 13b1fd8e170278bfa2b563b70ab7e069b2ac8cb6fa9a970feb212903ba15324e 28528 redis_7.2-rc3-1.debian.tar.xz
 d87d0bfc9fcd61c942ac9640dd2e64d0004f5a93f115f53304aea6567d93b1a3 7496 redis_7.2-rc3-1_amd64.buildinfo
Files:
 3a961e24be27ab34805217b6c51a8a2d 2245 database optional redis_7.2-rc3-1.dsc
 a697dc73568c6dea45a16deb7e8668ef 3417862 database optional redis_7.2-rc3.orig.tar.gz
 57d51aec85914476a3541de538716d66 28528 database optional redis_7.2-rc3-1.debian.tar.xz
 362e461ca4ed686d21813206a40a941b 7496 database optional redis_7.2-rc3-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmSua/kACgkQHpU+J9Qx
HlhiLhAAgMMqnQPRxqqiNjylh4Z5J2LcUsZnSiOC5CMsaO2lPwW0Zc7XjsaRUw9a
aU0U2pc4w0VClXiNdlO76nNV/S01oXA1oxtBwt9psxOOn4x8kN6zkPeUjM2NFYQ3
IPr2vK7vRFKeC28ADp5nR4OhlPpWhUZ5MbuX2idcOC6ONQArHk/2Cmxe3ok378tz
rCbmnMY67AGnYy8V3XRlzRcJa7aRACKgZh80vUPeVVJK2b4vol/xFeR6+dV/fjUO
S88cDE5OMq9VSg/8azM/GULGriO38b/SfA+i8f0vhOBl2ghj5HAlRBOyNGo1fnNR
0oEtiy9W7bSNFfETQvC2iqTUhQ4XVF+RI8VCWVB4/0jkhYW2zHIdmQoibVBzbBTa
cPBU9Qz//CxFCDvvuXU0GhkijI4nemzBDi2kjx1RRf5GXeDRCdJrNbdAhb8a8Bld
78zR5dXq97LPQ0b/nviOjZB1EwIYoWnHTwUsyrffIkzPgU3l355XmeTiI5ZQWVBd
4uNEMO3P1PCIu1rrnP2yPfcsSa2O2VO5F3jKPVLLehwPGATua5Wh4SKtya1WICdy
0Ny9SKu2CbupjEVpOd4r7J0oLoj0tOROa0pT98kn70tANaB1hKDWnpyhE2jRtsPB
xNr8HD5sE7tErD/I67GW0h06st/Dfr7ggxRF7YaQIWZM3ec6n3g=
=ItXH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.