It was found that getnum() function in lua_struct.c is vulnerable to integer overflow that can be used to trigger stack-based buffer overflow. getnum() can be tricked into an integer wraparound with a large size number as input, thus returning a negative value. Affected versions of redis are 2.8 and 3.0. Vulnerable code: static int getnum (const char **fmt, int df) { if (!isdigit(**fmt)) /* no number? */ return df; /* return default value */ else { int a = 0; do { a = a*10 + *((*fmt)++) - '0'; } while (isdigit(**fmt)); return a; } } static size_t optsize (lua_State *L, char opt, const char **fmt) { switch (opt) { [...] case 'c': return getnum(fmt, 1); case 'i': case 'I': { int sz = getnum(fmt, sizeof(int)); if (sz > MAXINTSIZE) luaL_error(L, "integral size %d is larger than limit of %d", sz, MAXINTSIZE); return sz; } default: return 0; /* other cases do not need alignment */ } } Upstream bug report (including reproducer): https://github.com/antirez/redis/issues/2855 CVE assignment: http://seclists.org/oss-sec/2015/q4/231
Created redis tracking bugs for this issue: Affects: fedora-all [bug 1278966] Affects: epel-all [bug 1278967]
This issue has been addressed in the following products: OpenStack 7.0 Operational Tools for RHEL 7 Via RHSA-2016:0097 https://rhn.redhat.com/errata/RHSA-2016-0097.html
This issue has been addressed in the following products: OpenStack 7 For RHEL 7 Via RHSA-2016:0096 https://rhn.redhat.com/errata/RHSA-2016-0096.html
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2016:0095 https://rhn.redhat.com/errata/RHSA-2016-0095.html