Hide Forgot
An integer overflow in the getnum function in lua_struct.c in Redis before 6.0.3 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large number, which triggers a stack-based buffer overflow. NOTE: this issue exists because of a CVE-2015-8080 regression. Upstream Commit: https://github.com/antirez/redis/commit/ef764dde1cca2f25d00686673d1bc89448819571
Created redis tracking bugs for this issue: Affects: epel-all [bug 1848541] Affects: fedora-all [bug 1848540]
Mitigation: There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
CCX are using redis==3.4.1
This issue was originally reported as "redis: Integer wraparound in lua_struct.c causing stack-based buffer overflow" and was assigned CVE-2015-8080. However https://github.com/redis-io/redis/commit/1eb08bcd4634ae42ec45e8284923ac048beaa4c3 applied to redis-5.0.0 and redis-6.0.0 reversed this commit and made the package vulnerable again. It was further noticed via https://github.com/redis-io/redis/pull/6875 and CVE-2020-14147 has been assigned. CVE-2020-14147 is essentially a regression to the original 2015 CVE. Currently no new upstream release is made to fix this flaw, but a committed patch is available.
(In reply to Huzaifa S. Sidhpurwala from comment #6) > [...] > Currently no new upstream release is made to fix this flaw, but a committed > patch is available. The upstream redis-5.0.9 release contains this fix: http://download.redis.io/releases/redis-5.0.9.tar.gz