[Buildroot] [PATCH 2020.02.x] package/redis: security bump to version 5.0.11 (CVE-2021-21309)

Peter Korsgaard peter at korsgaard.com
Sat Mar 13 16:06:14 UTC 2021

>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin at gmail.com> writes:

 > From: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
 > References:
 > https://github.com/redis/redis/security/advisories/GHSA-hgj8-vff2-7cjf
 > https://nvd.nist.gov/vuln/detail/CVE-2021-21309

 > "Impact:

 >     An integer overflow bug in 32-bit Redis version 4.0 or newer could be
 >     exploited to corrupt the heap and potentially result with remote code
 >     execution.

 >     Redis 4.0 or newer uses a configurable limit for the maximum supported
 >     bulk input size. By default, it is 512MB which is a safe value for all
 >     platforms.

 >     If the limit is significantly increased, receiving a large request from
 >     a client may trigger several integer overflow scenarios, which would
 >     result with buffer overflow and heap corruption. We believe this could
 >     in certain conditions be exploited for remote code execution.

 >     By default, authenticated Redis users have access to all configuration
 >     parameters and can therefore use the “CONFIG SET proto-max-bulk-len” to
 >     change the safe default, making the system vulnerable.

 >     This problem only affects 32-bit Redis (on a 32-bit system, or as a
 >     32-bit executable running on a 64-bit system).

 > Patches

 >     The problem is fixed in version 6.2, and the fix is back ported to
 >     6.0.11 and 5.0.11. Make sure you use one of these versions if you're
 >     running 32-bit Redis.
 > "

 > Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
 > ---

 > NOTE: this only applies to 2020.02.x.
 > - For 2020.11.x a bump to 6.0.11 or later is needed (e.g. backport commit cbd5f7e3a9331).
 > - For 2021.02, 6.0.12 is used which already contains the fix.

Committed to 2020.02.x after updating to 5.0.12 as pointed out by
Titouan, thanks.

Bye, Peter Korsgaard

More information about the buildroot mailing list