sandbox escape affecting only Debian, Ubuntu, and other derivatives

Talk about internet security, computer security, personal security, your social security number...
Post Reply
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

sandbox escape affecting only Debian, Ubuntu, and other derivatives

Post by morganism »

An unexpected Redis sandbox escape affecting only Debian, Ubuntu, and other derivatives

"This post describes how I broke the Redis sandbox, but only for Debian and Debian-derived Linux distributions. Upstream Redis is not affected. That makes it a Debian vulnerability, not a Redis one. The culprit, if you will, is dynamic linking, but there will be more on that later.

This received the CVE id of CVE-2022-0543. Debian also released the DSA-5081 security advisory on 18/Feb/2022, and Ubuntu released USN-5316-1 on 7/Mar/2022, so I'm releasing this post on 8/Mar/2022.

Who should care?

Only people who run Redis on Debian, Ubuntu, and possibly other Debian-based distros. Just make sure your system is up to date.

Interestingly, I was surprised that I had to report this to Debian and Ubuntu separately. I expected that Ubuntu would either automatically pick the fix up or that there would be a manual process wherein someone at Canonical would take a look at all Debian security announcements and check whether they apply to Ubuntu as well. I'll leave that as a suggestion to Canonical."

https://www.ubercomp.com/posts/2022-01- ... debian_rce
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Post Reply