mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

redis: Refine CVE-2022-0543 status description

Browse Source 
Refine the CVE_STATUS description for CVE-2022-0543 to provide
a more precise explanation of this Debian-specific vulnerability.

The vulnerability originates from Debian's packaging methodology,
which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack),
enabling Lua sandbox escape. Upstream Redis builds, including
those built by Yocto/OpenEmbedded, utilize embedded Lua from the
deps/ directory and are therefore not affected by this issue.

It is also fixed in Debian with this commit:
https://salsa.debian.org/lamby/pkg-redis/-/commit/c7fd665150dc4769402cae97d1152b3c6e4366f0

References:
- https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
- https://nvd.nist.gov/vuln/detail/CVE-2022-0543

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7675392aa7)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Deepak Rathore
2025-12-18 16:56:19 +05:30
committed by Anuj Mittal
parent 9a4ed6f20f
commit e76bf51a92
2 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-extended/redis/redis_6.2.21.bb
+6 -1
View File
@@ -67,4 +67,9 @@ INITSCRIPT_PARAMS = "defaults 87"
SYSTEMD_SERVICE:${PN} = "redis.service"
CVE_STATUS[CVE-2022-0543] = "not-applicable-config: the vulnerability is not present in upstream, only in Debian-packaged versions"
# The vulnerability originates from Debian's packaging methodology,
# which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack),
# enabling Lua sandbox escape. Upstream Redis builds, including
# those built by Yocto/OpenEmbedded, utilize embedded Lua from the
# deps/ directory and are therefore not affected by this issue.
CVE_STATUS[CVE-2022-0543] = "not-applicable-config: Debian-specific packaging issue caused by loading system-wide Lua libraries; upstream builds use embedded Lua and are not affected"
meta-oe/recipes-extended/redis/redis_7.2.12.bb
+6 -1
View File
@@ -70,5 +70,10 @@ INITSCRIPT_PARAMS = "defaults 87"
SYSTEMD_SERVICE:${PN} = "redis.service"
CVE_STATUS[CVE-2022-3734] = "not-applicable-platform: CVE only applies for Windows."
CVE_STATUS[CVE-2022-0543] = "not-applicable-config: the vulnerability is not present in upstream, only in Debian-packaged versions"
# The vulnerability originates from Debian's packaging methodology,
# which loads system-wide Lua libraries (lua-cjson, lua-cmsgpack),
# enabling Lua sandbox escape. Upstream Redis builds, including
# those built by Yocto/OpenEmbedded, utilize embedded Lua from the
# deps/ directory and are therefore not affected by this issue.
CVE_STATUS[CVE-2022-0543] = "not-applicable-config: Debian-specific packaging issue caused by loading system-wide Lua libraries; upstream builds use embedded Lua and are not affected"
CVE_STATUS[CVE-2025-27151] = "fixed-version: the used version(7.2.12) contains the fix"