Bug 1727668 (CVE-2019-10193)

Summary: CVE-2019-10193 redis: Stack buffer overflow in HyperLogLog triggered by malicious client
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, dbecker, hchiramm, hhorak, jjoyce, jmulligan, jorton, jschluet, kbasil, kramdoss, lhh, lpeer, madam, mburns, nathans, rcollet, redis-maint, rhos-maint, rhs-bugs, sankarshan, sclewis, sisharma, slinaber, ssaha, storage-qa-internal, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Redis 3.2.13, Redis 4.0.14, Redis 5.0.4 Doc Type: ---
Doc Text:
A stack buffer overflow vulnerability was found in the Redis HyperLogLog data structure. By corrupting a HyperLogLog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-22 15:07:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1727715, 1727716, 1727717, 1727718, 1727719, 1727721, 1728470, 1728471, 1728916, 1728917    
Bug Blocks: 1727663    

Description Summer Long 2019-07-08 00:12:57 UTC 
Stack buffer overflow due to failure to validate register values in hllDenseRegHisto(). By corrupting a hyperloglog structure in Redis using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
Comment 2 Summer Long 2019-07-08 00:13:03 UTC 
External References:

https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
Comment 5 Summer Long 2019-07-08 04:26:34 UTC 
Created redis tracking bugs for this issue:

Affects: openstack-rdo [bug 1727721]
Comment 6 Summer Long 2019-07-09 01:05:17 UTC 
Upstream commit: https://github.com/antirez/redis/commit/a4b90be9fcd5e1668ac941cabce3b1ab38dbe326
Comment 7 Summer Long 2019-07-10 00:20:33 UTC 
Upstream timeline: https://github.com/antirez/redis/issues/6215
Comment 12 errata-xmlrpc 2019-07-22 13:34:24 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1819 https://access.redhat.com/errata/RHSA-2019:1819
Comment 13 Product Security DevOps Team 2019-07-22 15:07:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10193
Comment 16 Hardik Vyas 2019-08-07 05:54:01 UTC 
Statement:

The following product versions are not affected because they do not ship the vulnerable code:
* Red Hat OpenStack Platform, all versions
* Red Hat Ceph Storage 3, which only ships the client-side part of Redis in its packaged Grafana.
* Red Hat Gluster Storage 3, which only ships the client-side part of Redis in its packaged Grafana and Heketi.
Comment 17 errata-xmlrpc 2019-08-07 10:52:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2002 https://access.redhat.com/errata/RHSA-2019:2002