Re: CVE Request: redis Lua sandbox escape and arbitrary code execution

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> redis 3.0.2 and 2.8.21 have been released

> https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ
> http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
> https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411

The Ben Murphy advisory has a long discussion of many software and
deployment issues. Do you have a specific viewpoint about what the CVE
ID should be for? In particular, is the essence of the request that
the Redis upstream vendor believes that loading Lua bytecode was, by
itself, inherently an implementation mistake in Redis, and is now
fixed by the
https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411
change?

By way of background: we have previously tried to gather information
for assigning CVE IDs to the underlying bytecode security concerns in
Lua (see the http://openwall.com/lists/oss-security/2014/08/27/2
post), but this was unsuccessful. If the currently needed CVE ID should
be only about Redis, as mentioned in the above paragraph, then we will
not be revisiting those Lua issues now.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVcMkAAAoJEKllVAevmvmshgoH/0d6gd3qhLrK615YkgfLRCnU
bAuBrbBRf3aCO4qQWfdvdluSDb4pf8Uc2ECC9c1eHJfqRNIvkWgq+9MYWV0S1Jgz
O1WjYgJ5QbamqgECPUluj3yrZdefLwIVNxKRjfzIa5uZS/e4zbWyYcWPEuXsU6YD
7PiFDRx0S6k1OUpw1/051uV9p/Q06PZcPKtQq4qIH2gjcZO1MQn/C8T0y+tNVNKq
iUyG84esvBK04AjakUNppHSYTiBcW7dGEWhwd7cvdvXWnF+g3s/PBZNve3B5czIZ
klk0DqXHtTaYvSF4ERY2cjMKU3GBJWq4dQ2kkfXBDjm28oqG2Nit8APETMWpNHU=
=J2bY
-----END PGP SIGNATURE-----