Bug 894659 (CVE-2013-0178) - CVE-2013-0178 redis 2.4: Insecure temporary flaw use for redis service's vm swap file
Summary: CVE-2013-0178 redis 2.4: Insecure temporary flaw use for redis service's vm s...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0178
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 895120 895121
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-12 22:55 UTC by Michael S.
Modified: 2019-09-29 12:58 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-08-22 06:56:21 UTC
Embargoed:

Attachments (Terms of Use)

Description Michael S. 2013-01-12 22:55:31 UTC 
It seems that redis 2.4 use a predictible file name in /tmp/ as some kind of swap file :

    server.vm_swap_file = zstrdup("/tmp/redis-%p.vm");

this was removed in 2.6 ( deprecated code ), but 2.4 is in fedora 18 and epel 6 AFAIK.

Since redis do not care if the file exist or not before opening it ( and in fact, I think it try to reuse if it already exist ), this could be used by a attacker to erase a arbitrary file with a symlink to the file. Depending if redis is running as root or not, this could be dangerous, or just a minor nuisance.
Comment 1 Jan Lieskovsky 2013-01-14 14:43:55 UTC 
Thank you for this report, Michael. I am going to steal this bug to be a security response product (as there are more products affected by this issue than just upcoming Fedora-18).
Comment 2 Jan Lieskovsky 2013-01-14 14:50:58 UTC 
This issue affects the versions of the redis package, as shipped with Fedora release of 16 and 17.

--

This issue affects the versions of the redis package, as shipped with Fedora EPEL 5 and Fedora EPEL 6.
Comment 3 Jan Lieskovsky 2013-01-14 15:46:32 UTC 
The upstream patch which fixed the "/tmp/redis-%p.vm" insecure flaw (but also introduced different one in "/tmp/redis.ds") is the following one:
  https://github.com/antirez/redis/commit/697af434fbeb2e3ba2ba9687cd283ed1a2734fa5

So to fix this issue it would be easier to rebase to latest 2.6.* version, which doesn't contain the issue any more.
Comment 4 Jan Lieskovsky 2013-01-14 15:48:23 UTC 
Michael, since there is an upstream patch for this issue available already (latest 2.6.* version is not affected by this problem), would you mind if we would open this bug and request CVE identifier for it publicly?

Let us know. Thank you, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 5 Michael S. 2013-01-14 15:53:23 UTC 
No problem for me.
Comment 6 Jan Lieskovsky 2013-01-14 15:54:59 UTC 
(In reply to comment #5)
> No problem for me.

Thank you. Will request CVE id shortly.
Comment 7 Jan Lieskovsky 2013-01-14 15:58:39 UTC 
Created redis tracking bugs for this issue

Affects: fedora-all [bug 895120]
Affects: epel-all [bug 895121]
Comment 8 Jan Lieskovsky 2013-01-14 16:11:42 UTC 
CVE request:
[1] http://www.openwall.com/lists/oss-security/2013/01/14/3
Comment 9 Vincent Danen 2013-01-15 16:51:05 UTC 
Two CVEs were assigned here:

http://www.openwall.com/lists/oss-security/2013/01/14/7

CVE-2013-0178 for the insecure /tmp usage in 2.4
CVE-2013-0180 for the insecure /tmp usage in 2.6

Since we only ship 2.4-based versions, only noting the first CVE as applicable to us in this bug.
Note You need to log in before you can comment on or make changes to this bug.