ArchLinux: 202106-12: redis: arbitrary code execution
Summary
An integer overflow bug in Redis versions 6.0 up to 6.2.3 can be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. This is a result of an incomplete fix of CVE-2021-29477.
Resolution
Upgrade to 6.2.4-1.
# pacman -Syu "redis>=6.2.4-1"
The problem has been fixed upstream in version 6.2.4.
References
https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq https://github.com/redis/redis/pull/9011 https://github.com/redis/redis/pull/9019 https://github.com/redis/redis/commit/e9a1438ac4c52aa68dfa2a8324b6419356842116 https://security.archlinux.org/CVE-2021-32625
Workaround
A workaround to mitigate the problem is to use an ACL configuration toprevent clients from using the STRALGO LCS command.On systems running Redis version 6.2.3, it is sufficient to make surethat the proto-max-bulk-len config parameter is smaller than 2GB(default is 512MB).