redis: Integer wraparound in lua_struct.c causing stack-based buffer overflow (CVE-2015-8080)
It was found that getnum() function in lua_struct.c is vulnerable to
integer overflow that
can be used to trigger stack-based buffer overflow. getnum() can be
tricked into an integer
wraparound with a large size number as input, thus returning a negative
value.
This affects all released versions of redis in both 2.8 and 3.0
branches.
2.8.23 and 3.0.5 is affected.
References:
https://github.com/antirez/redis/issues/2855
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8080
(from redmine: issue id 4943, created on 2015-12-10, closed on 2015-12-19)
- Relations:
- child #4944 (closed)
- child #4945 (closed)
- child #4946 (closed)
- child #4947 (closed)
- Changesets:
- Revision 143427d6 by Natanael Copa on 2015-12-16T12:37:55Z:
main/redis: security fix for CVE-2015-8080
ref #4943
fixes #4944
- Revision b1116499 by Natanael Copa on 2015-12-16T12:44:26Z:
main/redis: upgrade to 3.0.5 and security fix for CVE-2015-8080
ref #4943
fixes #4945
- Revision 0f1793b2 by Natanael Copa on 2015-12-16T12:49:05Z:
main/redis: upgrade to 2.8.23 and security fix for CVE-2015-8080
ref #4943
fixes #4947