sandbox escape affecting only Debian, Ubuntu, and other derivatives
Posted: Thu Mar 10, 2022 9:16 am
An unexpected Redis sandbox escape affecting only Debian, Ubuntu, and other derivatives
"This post describes how I broke the Redis sandbox, but only for Debian and Debian-derived Linux distributions. Upstream Redis is not affected. That makes it a Debian vulnerability, not a Redis one. The culprit, if you will, is dynamic linking, but there will be more on that later.
This received the CVE id of CVE-2022-0543. Debian also released the DSA-5081 security advisory on 18/Feb/2022, and Ubuntu released USN-5316-1 on 7/Mar/2022, so I'm releasing this post on 8/Mar/2022.
Who should care?
Only people who run Redis on Debian, Ubuntu, and possibly other Debian-based distros. Just make sure your system is up to date.
Interestingly, I was surprised that I had to report this to Debian and Ubuntu separately. I expected that Ubuntu would either automatically pick the fix up or that there would be a manual process wherein someone at Canonical would take a look at all Debian security announcements and check whether they apply to Ubuntu as well. I'll leave that as a suggestion to Canonical."
https://www.ubercomp.com/posts/2022-01- ... debian_rce
"This post describes how I broke the Redis sandbox, but only for Debian and Debian-derived Linux distributions. Upstream Redis is not affected. That makes it a Debian vulnerability, not a Redis one. The culprit, if you will, is dynamic linking, but there will be more on that later.
This received the CVE id of CVE-2022-0543. Debian also released the DSA-5081 security advisory on 18/Feb/2022, and Ubuntu released USN-5316-1 on 7/Mar/2022, so I'm releasing this post on 8/Mar/2022.
Who should care?
Only people who run Redis on Debian, Ubuntu, and possibly other Debian-based distros. Just make sure your system is up to date.
Interestingly, I was surprised that I had to report this to Debian and Ubuntu separately. I expected that Ubuntu would either automatically pick the fix up or that there would be a manual process wherein someone at Canonical would take a look at all Debian security announcements and check whether they apply to Ubuntu as well. I'll leave that as a suggestion to Canonical."
https://www.ubercomp.com/posts/2022-01- ... debian_rce