mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-02 13:59:59 +00:00
Code Issues Projects Releases Wiki Activity

redis: Refine CVE-2022-0543 status description

Browse Source 
Refine the CVE_STATUS description for CVE-2022-0543 to provide
a more precise explanation of this Debian-specific vulnerability.

The vulnerability originates from Debian's packaging methodology,
which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack),
enabling Lua sandbox escape. Upstream Redis builds, including
those built by Yocto/OpenEmbedded, utilize embedded Lua from the
deps/ directory and are therefore not affected by this issue.

It is also fixed in Debian with this commit:
https://salsa.debian.org/lamby/pkg-redis/-/commit/c7fd665150dc4769402cae97d1152b3c6e4366f0

References:
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
- https://nvd.nist.gov/vuln/detail/CVE-2022-0543

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Deepak Rathore
2025-12-04 09:25:10 -08:00
committed by Khem Raj
parent 331126a6d0
commit 7675392aa7
2 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-extended/redis/redis_6.2.21.bb
+6 -1
View File
@@ -21,7 +21,12 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
SRC_URI[sha256sum] = "6383b32ba8d246f41bbbb83663381f5a5f4c4713235433cec22fc4a47e9b6d5f"
CVE_STATUS[CVE-2025-21605] = "cpe-incorrect: the used version already contains the fix"
CVE_STATUS[CVE-2022-0543] = "not-applicable-config: the vulnerability is not present in upstream, only in Debian-packaged version"
# The vulnerability originates from Debian's packaging methodology,
# which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack),
# enabling Lua sandbox escape. Upstream Redis builds, including
# those built by Yocto/OpenEmbedded, utilize embedded Lua from the
# deps/ directory and are therefore not affected by this issue.
CVE_STATUS[CVE-2022-0543] = "not-applicable-config: Debian-specific packaging issue caused by loading system-wide Lua libraries; upstream builds use embedded Lua and are not affected"
CVE_STATUS[CVE-2022-3734] = "not-applicable-config: only affects Windows"
inherit update-rc.d systemd useradd
meta-oe/recipes-extended/redis/redis_7.2.12.bb
+6 -1
View File
@@ -78,4 +78,9 @@ INITSCRIPT_PARAMS = "defaults 87"
SYSTEMD_SERVICE:${PN} = "redis.service"
CVE_STATUS[CVE-2022-3734] = "not-applicable-platform: CVE only applies for Windows."
CVE_STATUS[CVE-2022-0543] = "not-applicable-platform: Debian-specific CVE"
# The vulnerability originates from Debian's packaging methodology,
# which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack),
# enabling Lua sandbox escape. Upstream Redis builds, including
# those built by Yocto/OpenEmbedded, utilize embedded Lua from the
# deps/ directory and are therefore not affected by this issue.
CVE_STATUS[CVE-2022-0543] = "not-applicable-config: Debian-specific packaging issue caused by loading system-wide Lua libraries; upstream builds use embedded Lua and are not affected"