oss-sec mailing list archives
Re: CVE Request: redis Lua sandbox escape and arbitrary code execution
From: cve-assign () mitre org
Date: Thu, 4 Jun 2015 17:56:09 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
redis 3.0.2 and 2.8.21 have been released
https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411
The Ben Murphy advisory has a long discussion of many software and deployment issues. Do you have a specific viewpoint about what the CVE ID should be for? In particular, is the essence of the request that the Redis upstream vendor believes that loading Lua bytecode was, by itself, inherently an implementation mistake in Redis, and is now fixed by the https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 change? By way of background: we have previously tried to gather information for assigning CVE IDs to the underlying bytecode security concerns in Lua (see the http://openwall.com/lists/oss-security/2014/08/27/2 post), but this was unsuccessful. If the currently needed CVE ID should be only about Redis, as mentioned in the above paragraph, then we will not be revisiting those Lua issues now. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVcMkAAAoJEKllVAevmvmshgoH/0d6gd3qhLrK615YkgfLRCnU bAuBrbBRf3aCO4qQWfdvdluSDb4pf8Uc2ECC9c1eHJfqRNIvkWgq+9MYWV0S1Jgz O1WjYgJ5QbamqgECPUluj3yrZdefLwIVNxKRjfzIa5uZS/e4zbWyYcWPEuXsU6YD 7PiFDRx0S6k1OUpw1/051uV9p/Q06PZcPKtQq4qIH2gjcZO1MQn/C8T0y+tNVNKq iUyG84esvBK04AjakUNppHSYTiBcW7dGEWhwd7cvdvXWnF+g3s/PBZNve3B5czIZ klk0DqXHtTaYvSF4ERY2cjMKU3GBJWq4dQ2kkfXBDjm28oqG2Nit8APETMWpNHU= =J2bY -----END PGP SIGNATURE-----
Current thread:
- CVE Request: redis Lua sandbox escape and arbitrary code execution Alessandro Ghedini (Jun 04)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution cve-assign (Jun 04)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution Alessandro Ghedini (Jun 05)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution cve-assign (Jun 05)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution Alessandro Ghedini (Jun 05)
- Re: CVE Request: redis Lua sandbox escape and arbitrary code execution cve-assign (Jun 04)