Bug 991250 (CVE-2013-7458)

Summary: VUL-0: CVE-2013-7458: redis: World readable .rediscli_history
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <astieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: kstreitova, lars.vogdt, michal.hrusecky, mpluskal, mrueckert, mseben, nix, pth, sbahling
Version: Leap 42.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2016-07-29 11:44:55 UTC 
http://seclists.org/oss-sec/2016/q3/189

    https://bugs.debian.org/832460


        redis-cli stores its history in ~/.rediscli_history, this file is
        created with permissions 0644. Home folders are world readable as well
        in debian, so any user can access other users' redis history, including
        AUTH commands, which include credentials.

        I've contacted upstream on 2016-05-30 without any reaction at all and
        discovered this bug was first reported 3 years ago, still unfixed.
        @RedisLabs keeps referring to their paid support on twitter.

        Demo: `cat /home/*/.rediscli_history`


    Upstream report: https://github.com/antirez/redis/issues/3284


            https://github.com/antirez/redis/pull/3322
            https://github.com/antirez/redis/pull/1418



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7458
http://seclists.org/oss-sec/2016/q3/189
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7458.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460
Comment 2 Andreas Stieger 2016-07-29 11:54:15 UTC 
openSUSE:13.2:Update/redis       2.8.22
openSUSE:Backports:SLE-12/redis  3.0.7  (sbahling)
openSUSE:Leap:42.1:Update/redis  3.0.4
Comment 3 Andreas Stieger 2016-07-30 10:30:50 UTC 
https://build.opensuse.org/request/show/416021
https://build.opensuse.org/request/show/416022
pending maintainer reviews
Comment 4 Bernhard Wiedemann 2016-07-30 18:00:34 UTC 
This is an autogenerated message for OBS integration:
This bug (991250) was mentioned in
https://build.opensuse.org/request/show/416076 13.2+42.1 / redis
Comment 5 Bernhard Wiedemann 2016-07-30 20:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (991250) was mentioned in
https://build.opensuse.org/request/show/416077 Backports:SLE-12 / redis
Comment 6 Andreas Stieger 2016-08-05 18:14:29 UTC 
release update
Comment 7 Swamp Workflow Management 2016-08-05 22:14:44 UTC 
openSUSE-SU-2016:1980-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 991250
CVE References: CVE-2013-7458
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    redis-3.0.7-6.1
Comment 8 Swamp Workflow Management 2016-08-05 22:15:07 UTC 
openSUSE-SU-2016:1981-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 991250
CVE References: CVE-2013-7458
Sources used:
openSUSE Leap 42.1 (src):    redis-3.0.4-6.1
openSUSE 13.2 (src):    redis-2.8.22-2.12.1
Comment 11 Swamp Workflow Management 2020-11-11 14:36:12 UTC 
SUSE-OU-2020:3291-1: An update that solves 7 vulnerabilities, contains four features and has two fixes is now available.

Category: optional (moderate)
Bug References: 1002351,1047218,1061967,1064980,1097430,1131555,798455,835815,991250
CVE References: CVE-2013-7458,CVE-2015-8080,CVE-2016-10517,CVE-2016-8339,CVE-2017-15047,CVE-2018-11218,CVE-2018-11219
JIRA References: ECO-2417,ECO-2867,SLE-11578,SLE-12821
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    redis-6.0.8-1.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.