Bug 1848539 (CVE-2020-14147)

Summary: CVE-2020-14147 redis: integer overflow in the getnum function in lua_struct.c could lead to a DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, fabian.deutsch, jal233, jjoyce, jschluet, lberk, lhh, lpeer, mburns, mgoodwin, nathans, rcollet, redis-maint, sclewis, slinaber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 01:56:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848540, 1848541, 1849957, 1854280    
Bug Blocks: 1848543    

Description Marian Rehak 2020-06-18 13:55:56 UTC 
An integer overflow in the getnum function in lua_struct.c in Redis before 6.0.3 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large number, which triggers a stack-based buffer overflow. NOTE: this issue exists because of a CVE-2015-8080 regression.

Upstream Commit:

https://github.com/antirez/redis/commit/ef764dde1cca2f25d00686673d1bc89448819571
Comment 1 Marian Rehak 2020-06-18 13:57:08 UTC 
Created redis tracking bugs for this issue:

Affects: epel-all [bug 1848541]
Affects: fedora-all [bug 1848540]
Comment 3 Summer Long 2020-06-19 05:05:24 UTC 
Mitigation:

There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
Comment 4 lnacshon 2020-06-23 09:32:50 UTC 
CCX are using redis==3.4.1
Comment 6 Huzaifa S. Sidhpurwala 2020-07-07 04:47:34 UTC 
This issue was originally reported as "redis: Integer wraparound in lua_struct.c causing stack-based buffer overflow" and was assigned CVE-2015-8080. However https://github.com/redis-io/redis/commit/1eb08bcd4634ae42ec45e8284923ac048beaa4c3 applied to redis-5.0.0 and redis-6.0.0 reversed this commit and made the package vulnerable again.

It was further noticed via https://github.com/redis-io/redis/pull/6875 and CVE-2020-14147 has been assigned. CVE-2020-14147 is essentially a regression to the original 2015 CVE.

Currently no new upstream release is made to fix this flaw, but a committed patch is available.
Comment 8 Nathan Scott 2020-07-07 06:07:04 UTC 
(In reply to Huzaifa S. Sidhpurwala from comment #6)
> [...]
> Currently no new upstream release is made to fix this flaw, but a committed
> patch is available.

The upstream redis-5.0.9 release contains this fix:
http://download.redis.io/releases/redis-5.0.9.tar.gz