Bug 1727668 (CVE-2019-10193)

Summary: CVE-2019-10193 redis: Stack buffer overflow in HyperLogLog triggered by malicious client
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, dbecker, hchiramm, hhorak, jjoyce, jmulligan, jorton, jschluet, kbasil, kramdoss, lhh, lpeer, madam, mburns, nathans, rcollet, redis-maint, rhos-maint, rhs-bugs, sankarshan, sclewis, sisharma, slinaber, ssaha, storage-qa-internal, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Redis 3.2.13, Redis 4.0.14, Redis 5.0.4 Doc Type: ---
Doc Text:
A stack buffer overflow vulnerability was found in the Redis HyperLogLog data structure. By corrupting a HyperLogLog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-22 15:07:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1727715, 1727716, 1727717, 1727718, 1727719, 1727721, 1728470, 1728471, 1728916, 1728917    
Bug Blocks: 1727663    

Description Summer Long 2019-07-08 00:12:57 UTC
Stack buffer overflow due to failure to validate register values in hllDenseRegHisto(). By corrupting a hyperloglog structure in Redis using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.

Comment 5 Summer Long 2019-07-08 04:26:34 UTC
Created redis tracking bugs for this issue:

Affects: openstack-rdo [bug 1727721]

Comment 7 Summer Long 2019-07-10 00:20:33 UTC
Upstream timeline: https://github.com/antirez/redis/issues/6215

Comment 12 errata-xmlrpc 2019-07-22 13:34:24 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1819 https://access.redhat.com/errata/RHSA-2019:1819

Comment 13 Product Security DevOps Team 2019-07-22 15:07:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10193

Comment 16 Hardik Vyas 2019-08-07 05:54:01 UTC
Statement:

The following product versions are not affected because they do not ship the vulnerable code:
* Red Hat OpenStack Platform, all versions
* Red Hat Ceph Storage 3, which only ships the client-side part of Redis in its packaged Grafana.
* Red Hat Gluster Storage 3, which only ships the client-side part of Redis in its packaged Grafana and Heketi.

Comment 17 errata-xmlrpc 2019-08-07 10:52:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2002 https://access.redhat.com/errata/RHSA-2019:2002