FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

redis -- Integer overflow issues with BITFIELD command on 32-bit systems

Affected packages
redis < 6.0.15
redis-devel < 6.2.5
redis5 < 5.0.13

Details

VuXML ID c561ce49-eabc-11eb-9c3f-0800270512f4
Discovery 2021-07-04
Entry 2021-07-27

Huang Zhw reports:

On 32-bit versions, Redis BITFIELD command is vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves constructing specially crafted bit commands which overflow the bit offset.

This problem only affects 32-bit versions of Redis.

References

CVE Name CVE-2021-32761
URL https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj