Bug 2013499 (CVE-2021-32765) - CVE-2021-32765 hiredis: an integer overflow may occur if provided maliciously crafted or corrupted RESP mult-bulk protocol data
Summary: CVE-2021-32765 hiredis: an integer overflow may occur if provided maliciously...
Keywords:
Status: NEW
Alias: CVE-2021-32765
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2013501 2013500
Blocks: 2013502
TreeView+ depends on / blocked
 
Reported: 2021-10-13 04:45 UTC by Marian Rehak
Modified: 2024-01-26 17:09 UTC (History)
15 users (show)

Fixed In Version: hiredis 1.0.1
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw when parsing array replies was found in hiredis, which leads to a buffer overflow and subsequent code execution. This flaw allows a remote attacker to execute arbitrary commands and craft a malicious payload to execute commands on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2021-10-13 04:45:39 UTC 
Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.

Upstream Advisory:

https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2
Comment 5 Tomas Hoger 2022-01-26 10:26:15 UTC 
Created hiredis tracking bugs for this issue:

Affects: fedora-all [bug 2013500]
Comment 9 Jeremy West 2024-01-26 17:09:40 UTC 
Created hiredis tracking bugs for this issue:

Affects: epel-all [bug 2013501]
Note You need to log in before you can comment on or make changes to this bug.