From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A9663158020 for ; Mon, 31 Oct 2022 01:51:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0A027E09A7; Mon, 31 Oct 2022 01:45:27 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7942BE0809 for ; Mon, 31 Oct 2022 01:29:25 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id E264E340D21 for ; Mon, 31 Oct 2022 01:29:24 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id CC7198D19A for ; Mon, 31 Oct 2022 01:29:24 +0000 (-00) Subject: [gentoo-announce] [ GLSA 202210-32 ] hiredis, hiredis-py: Multiple Vulnerabilities Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============5281536209448630038==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Mon, 31 Oct 2022 01:29:24 -0000 Message-ID: <166717976483.9.6607601078639797816@90bb6a0775af> X-Archives-Salt: 8c9ccfb7-318a-4c9a-97d8-36c2ff5523dd X-Archives-Hash: 7ccb84489f786ab1ea300199c2534d74 --===============5281536209448630038== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: hiredis, hiredis-py: Multiple Vulnerabilities Date: October 31, 2022 Bugs: #873079, #816318 ID: 202210-32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== An integer overflow has been found in hiredis which could result in arbitrary code execution. Background ========== hiredis is a minimalistic C client library for the Redis database. hiredis-py is a Python extension that wraps hiredis. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/hiredis < 1.0.1 >= 1.0.1 2 dev-python/hiredis < 2.0.0 >= 2.0.0 Description =========== Hiredis is vulnerable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Impact ====== Malicious Redis commands could result in remote code execution. Workaround ========== There is no known workaround at this time. Resolution ========== All hiredis users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/hiredis-1.0.1" All hiredis-py users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/hiredis-2.0.0" References ========== [ 1 ] CVE-2021-32765 https://nvd.nist.gov/vuln/detail/CVE-2021-32765 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202210-32 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============5281536209448630038== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmNfJPQACgkQFMQkOaVy +9nIbRAAjzhG1E6wieXwzRh4Vz50oRo6UMzD231dDVtu3Uo4fkAfAjd6ELD9pWhj ImIy3qh2a+c2ci4JyrC0FCtjFoEjInIadctN1H3QZQyz5U5E0a+ucHAGZXw/caHj 0ke3NlM3rysLEFeBt5qrc/ZukcNPbEUGNfCsel87ewkuE2PhiCu61Z7U8HJif/zC wKEEg+dTJNqvObZSz7frEpJmZECTofLWu/Gegs39CAVb+6VdC4zfWk69jGfNwOyF KkT5m2fbI9UfOxYuGfRSGY8z6412eUE8+19VNoMcfuT862bbijeI9qPXMlo9bCxR NdBfB3Qq0yh0eqm3p5BQ0rLLiCr+Ni7Ru9wY/b3QiX/DjD83jAkkeVAsyvBkYJbz 357ErDcQsOe+qMV8ilZDFzupuhPOZMq2g8/JPoykCHzM6Kc0ZVQMrlGvkgkjhhIJ HXR0EYeFxrV8bmexAjFIS27falDyE0GN/6Q8EHfZVoFmIzzcewhDb8MgUnV0REUP QETgNoEPqTwyJdO1+K47OrTd/bmkkojrJVJFYLYZ9c22bqEFEwIMlh0NRcD1HXzQ EgQCK5gkzTJ6zHkVcB8Jl+1Fee6VVQGYMduzEJc7TygVrxKqjlk1hODV6CJTZ8Vs H4vdSU8+rnJoDVuExkODg0xI8owjAhRIDq2HSpnNFmhVIPVs1Jw= =Igj+ -----END PGP SIGNATURE----- --===============5281536209448630038==--