-
Notifications
You must be signed in to change notification settings - Fork 23.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please clarify fixing commits for CVE-2019-10193 #6214
Comments
Hi @lamby, the CVEs are mostly unreadable. The HyperLogLog issues where fixed in the following commits.
The other vulnerability was a DoS that was fixed here: 5b52bc7 The above CVEs have no description of what is going on at all: just in one there is a link to bugzilla with little more info, so well... not sure what to say. |
P.S. I think I'll release a security advisor myself as a Redis issue. |
Those appear to be part of
… is also part of that, or are you completely in the dark too? ^_^
This doesn't sound like Hm. :) |
@lamby basically a4b90be is another bug that I found after I got the report for the other hyperloglog bug. It's a similar issue I found doing the auditing. @JohnSully reported an out of range memory access, I found another similar in another place, and also I found another bug again related to hyperloglog and registers access in yet another place. That's the story. |
Cheer for sharing. Okay, I'll give it a few days or so for that Bugzilla link to throw up something interesting about |
Whilst I thank you releasing that advisory statement, I don't think we have resolved the question of |
I found the original issues. Feel free to contact me if you have any questions. john at csquare dot ca. |
@JohnSully Can you share here? I'm, in particular, interested in |
I thought Antirez explained it well, but that is probably because I'm too close to the actual code. The short story is Redis was computing addresses relative to the stack pointer that could be directly influenced by user data. As part of a hyperloglog datastructure there are sparse areas, and when Redis tries to convert them to non-sparse it skips over them in the array allocated on the stack. Because it failed to bounds check you could overflow. With some limitations that overflow and the data written was controlled by the attacker. I'm not a security researcher so I'm not quite used to heavily distilling these bugs. Let me know if you need more/different details. My main interest is I run a fork called KeyDB and was performing security testing on that code. |
Thanks. However, whilst I understood how/what the referenced commits are fixing I am trying to — from a closing all loopholes / administrative point of view — working what, exactly, that latter CVE is referring to. If it is closed by one of the commits, that's great... but that is still not clear. :) |
Ah sorry for the misunderstanding. Since the commits are Antirez's I'll let him answer. |
Recently, two CVEs were filed for redis:
For the first (ie.
CVE-2019-10192
) it is clear that this was fixed in 9f13b2b and e216cea. However, for the second (ie.CVE-2019-10193
), it is not clear what commits will remedy this.I've done a quick glance at the
git blame
output for this function with no dice...Any pointers? :)
The text was updated successfully, but these errors were encountered: