Describe the bug redis is affected by CVE-2020-15888
A short description of the bug. ** Security issue ** redis uses lua-5.1.1. OSSPI scan results (https://ussm.gsa.gov/about/) show that redis is affected by CVE-2020-15888.
To reproduce Please check https://www.cvedetails.com/cve/CVE-2020-15888/ and follow the POC examples from lua mailing list.
Additional information
Any plans on upgrading lua to latest or at least to a recent version in redis? Please assist.
Comment From: sshedi
@antirez @oranagra @pietern can you guys please take a look at this issue? Ubuntu security advisory says it's no problem https://ubuntu.com/security/CVE-2020-15888
But the federal security scan tool says otherwise.
Comment From: oranagra
@sshedi it was recently discussed here: https://github.com/redis/redis/issues/11287#issuecomment-1253892662 i think the text in the CVE is misleading, and it only applies to 5.4.
Comment From: oranagra
To reproduce Please check https://www.cvedetails.com/cve/CVE-2020-15888/ and follow the POC examples from lua mailing list.
did you actually try that? AFAIK @MeirShpilraien did and failed to reproduce it.
Additional information Any plans on upgrading lua to latest or at least to a recent version in redis? Please assist.
Lua 5.4 is not backwards compatible with Lua 5.1, so we do not have any plans to upgrade it. more info here: https://github.com/redis/redis/issues/7382#issuecomment-1211567217
Comment From: sshedi
Thanks a lot for your quick responses @oranagra I think I tried the POC with lua-5.1 but I should have tried with lua-5.1.5.
But it will be a good thing to move on to latest version of lua. lua-5.1.5 was released 10 years back. Thanks again.
Comment From: oranagra
I think I tried the POC with lua-5.1 but I should have tried with lua-5.1.5.
so did you succeed in reproducing any problem with 5.1?
Comment From: oranagra
btw, looking at Ubuntu and Debian, looks like they reached the same conclusions
https://ubuntu.com/security/CVE-2020-15888:
couldn't reproduce on lua earlier than 5.4. No indication that earlier versions are vulnerable. Marking not-affected.
https://tracker.debian.org/media/packages/l/lua5.1/changelog-5.1.5-9 the only backport is for CVE-2014-5461
Comment From: sshedi
With the poc in this link:
http://lua-users.org/lists/lua-l/2020-07/msg00054.html
And lua-5.1, I got a seg fault from lua.
wget https://www.lua.org/ftp/lua-5.1.tar.gz
tar xf lua-5.1.tar.gz && cd lua-5.1 && make linux -j8
cd src && ./lua poc.lua
I'm getting following output:
$ ./lua poc.lua
realloc(): invalid next size
Aborted (core dumped)
I'm using gcc-7.3.0
Comment From: MeirShpilraien
We checked it already and its not crashing on 5.1.5, also run it with valgrind no warnings.
Comment From: yossigo
I agree this is a false positive. @sshedi Do you happen to know if there's way to report it as such to the OSSPI developers? Regarding Lua 5.4, we do not upgrade because Lua versions are not backwards compatible so many existing scripts will break if we do.
Comment From: sshedi
We got this issue reported from one of our internal team; they will take it forward and report it as a false positive to OSSPI. Thanks @yossigo