[Buildroot] [PATCH 2020.02.x] package/redis: security bump to version 5.0.11 (CVE-2021-21309)

Peter Korsgaard peter at korsgaard.com
Sat Mar 13 16:06:14 UTC 2021


>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin at gmail.com> writes:

 > From: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
 > References:
 > https://github.com/redis/redis/security/advisories/GHSA-hgj8-vff2-7cjf
 > https://nvd.nist.gov/vuln/detail/CVE-2021-21309

 > "Impact:

 >     An integer overflow bug in 32-bit Redis version 4.0 or newer could be
 >     exploited to corrupt the heap and potentially result with remote code
 >     execution.

 >     Redis 4.0 or newer uses a configurable limit for the maximum supported
 >     bulk input size. By default, it is 512MB which is a safe value for all
 >     platforms.

 >     If the limit is significantly increased, receiving a large request from
 >     a client may trigger several integer overflow scenarios, which would
 >     result with buffer overflow and heap corruption. We believe this could
 >     in certain conditions be exploited for remote code execution.

 >     By default, authenticated Redis users have access to all configuration
 >     parameters and can therefore use the “CONFIG SET proto-max-bulk-len” to
 >     change the safe default, making the system vulnerable.

 >     This problem only affects 32-bit Redis (on a 32-bit system, or as a
 >     32-bit executable running on a 64-bit system).

 > Patches

 >     The problem is fixed in version 6.2, and the fix is back ported to
 >     6.0.11 and 5.0.11. Make sure you use one of these versions if you're
 >     running 32-bit Redis.
 > "

 > Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
 > ---

 > NOTE: this only applies to 2020.02.x.
 > - For 2020.11.x a bump to 6.0.11 or later is needed (e.g. backport commit cbd5f7e3a9331).
 > - For 2021.02, 6.0.12 is used which already contains the fix.

Committed to 2020.02.x after updating to 5.0.12 as pointed out by
Titouan, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list