Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALASREDIS6-2023-004

Related Vulnerabilities: CVE-2021-32765  

Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Users of hiredis who are unable to update may set the [maxelements](https://github.com/redis/hiredis#reader-max-array-elements) context option to a value small enough that no overflow is possible. (CVE-2021-32765)

Source

ALASREDIS6-2023-004

Amazon Linux 2 Security Advisory: ALASREDIS6-2023-004
Advisory Release Date: 2023-08-21 20:59 Pacific
Advisory Updated Date: 2023-09-25 22:02 Pacific
Severity: Important
Issue Overview:

Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Users of hiredis who are unable to update may set the [maxelements](https://github.com/redis/hiredis#reader-max-array-elements) context option to a value small enough that no overflow is possible. (CVE-2021-32765)


Affected Packages:

hiredis


Issue Correction:
Run yum update hiredis to update your system.

New Packages:
aarch64:
    hiredis-0.13.3-17.amzn2.aarch64
    hiredis-devel-0.13.3-17.amzn2.aarch64
    hiredis-debuginfo-0.13.3-17.amzn2.aarch64

src:
    hiredis-0.13.3-17.amzn2.src

x86_64:
    hiredis-0.13.3-17.amzn2.x86_64
    hiredis-devel-0.13.3-17.amzn2.x86_64
    hiredis-debuginfo-0.13.3-17.amzn2.x86_64

Additional References

Red Hat: CVE-2021-32765

Mitre: CVE-2021-32765

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started