Bug 13537

Summary:	[CVE 21] hiredis 0.13.3 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal	CC:	a.proklov, e.kosachev, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified+ a.proklov: published+
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2021-32765,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-08-24 00:20:30 MSK

Please patch CVEs for package hiredis version 0.13.3
  
INFO (CVEs are): hiredis 0.13.3
 cves found
CVE-2021-32765
Desc: Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Users of hiredis who are unable to update may set the [maxelements](https://github.com/redis/hiredis#reader-max-array-elements) context option to a value small enough that no overflow is possible.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-32765
Severity: HIGH

Comment 1 ilfat 2023-09-13 14:12:05 MSK

********** QA ADVISORY **********

CVE closed with a patch

https://abf.rosalinux.ru/build_lists/4683607 i686
https://abf.rosalinux.ru/build_lists/4683608 x86_64
https://abf.rosalinux.ru/build_lists/4683609 aarch64
https://abf.rosalinux.ru/build_lists/4683610 riscv64
https://abf.rosalinux.ru/build_lists/4683611 e2kv4

Comment 2 Dmitry Postnikov 2023-09-14 13:56:30 MSK

***************************
The update sent to testings

Comment 3 Vladimir Potapov 2023-09-19 06:39:23 MSK

hiredis-0.13.3-2
https://abf.rosalinux.ru/build_lists/4683607 i686
https://abf.rosalinux.ru/build_lists/4683608 x86_64
https://abf.rosalinux.ru/build_lists/4683609 aarch64
https://abf.rosalinux.ru/build_lists/4683610 riscv64
https://abf.rosalinux.ru/build_lists/4683611 e2kv4
****************************** Advisory *****************************
CVE closed with a patch
*********************************************************************
QA Verified

Comment 4 Yury 2023-10-19 15:33:32 MSK

secteam_verified