An integer overflow in the getnum function in lua_struct.c in Redis before 6.0.3 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large number, which triggers a stack-based buffer overflow. NOTE: this issue exists because of a CVE-2015-8080 regression.
Created redis tracking bugs for this issue:
Affects: epel-all [bug 1848541]
Affects: fedora-all [bug 1848540]
There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
CCX are using redis==3.4.1
This issue was originally reported as "redis: Integer wraparound in lua_struct.c causing stack-based buffer overflow" and was assigned CVE-2015-8080. However https://github.com/redis-io/redis/commit/1eb08bcd4634ae42ec45e8284923ac048beaa4c3 applied to redis-5.0.0 and redis-6.0.0 reversed this commit and made the package vulnerable again.
It was further noticed via https://github.com/redis-io/redis/pull/6875 and CVE-2020-14147 has been assigned. CVE-2020-14147 is essentially a regression to the original 2015 CVE.
Currently no new upstream release is made to fix this flaw, but a committed patch is available.
(In reply to Huzaifa S. Sidhpurwala from comment #6)
> Currently no new upstream release is made to fix this flaw, but a committed
> patch is available.
The upstream redis-5.0.9 release contains this fix: