Hi,

The following vulnerability was published for redis.

CVE-2025-27151[0]:
| Redis is an open source, in-memory database that persists on disk.
| In versions starting from 7.0.0 to before 8.0.2, a stack-based
| buffer overflow exists in redis-check-aof due to the use of memcpy
| with strlen(filepath) when copying a user-supplied file path into a
| fixed-size stack buffer. This allows an attacker to overflow the
| stack and potentially achieve code execution. This issue has been
| patched in version 8.0.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-27151
https://www.cve.org/CVERecord?id=CVE-2025-27151
[1] https://github.com/redis/redis/security/advisories/GHSA-5453-q98w-cmvm

Regards,
Salvatore

tags 1106822 + pending
thanks

This is fixed in Git by updating to the 8.0.2 point release. I will
upload once I get clarity on the status of 8.0.x in trixie.


Regards,

Hi,

The upload of 8.0.2 already happened, but this bug isn't closed. I
assume that's just an oversight?

With this version, isn't CVE-2025-49112 also fixed?

Paul

Hi Paul,

Yes. When preparing the actual upload, I did not pass -v to
dpkg-genchanges, so the .changes file did not specify this bug
number in the Closes entry.

I can confirm that this CVE is fixed, so closing manually here.


Regards,

Hi

Not the maintainer, but inerested to have CVE tracking correct. So it
looks the packaging repository has a tag for 5:8.0.2-1, but that
upload never entered the archive apparently, the next one 5:8.0.2-2
did enter, so let's close it with that version beeing the first in
unstable containing the fix.

Regards,
Salvatore

Hi

Not the maintainer, but inerested to have CVE tracking correct. So it
looks the packaging repository has a tag for 5:8.0.2-1, but that
upload never entered the archive apparently, the next one 5:8.0.2-2
did enter, so let's close it with that version beeing the first in
unstable containing the fix.

Regards,
Salvatore

[adding #1107211 to CC]

Paul Gevers wrote:
and/or waiting for upstream to determine whether it truly is a
vulnerability at all:

https://github.com/redis/redis/issues/14199#issuecomment-3076467634


Regards,

Hi,

It is correct that redis upstream vs valkey does classify the issue
differently. I think it's perfectly fine to leave this for redis
unpatched until upstream either say they won't fix it at all or apply
the hardening.

valkey has a CVE assigned, but it is defintively low severity.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1106822@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 23 Jul 2025 13:01:37 -0700
Source: redis
Binary: redis redis-sentinel redis-server redis-tools redis-tools-dbgsym
Built-For-Profiles: nocheck
Architecture: source amd64 all
Version: 5:7.0.15-1~deb12u5
Distribution: bookworm-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 redis      - Persistent key-value database with network interface (metapackage
 redis-sentinel - Persistent key-value database with network interface (monitoring)
 redis-server - Persistent key-value database with network interface
 redis-tools - Persistent key-value database with network interface (client)
Closes: 1106822 1108975 1108981
Changes:
 redis (5:7.0.15-1~deb12u5) bookworm-security; urgency=high
 .
   * CVE-2025-27151: Fix an stack-based buffer overflow in redis-check-aof
     caused by the use of memcpy with strlen(filepath) when copying a
     user-supplied file path into a fixed-size stack buffer. This allowed an
     attacker to overflow the stack and potentially achieve arbitrary code
     execution. (Closes: #1106822)
   * CVE-2025-32023: An authenticated user may have used a specially-crafted
     string to trigger a stack/heap out-of-bounds write during hyperloglog
     operations, potentially leading to remote code execution. Installations
     that used Redis' ACL system to restrict hyperloglog "HLL" commands are
     unaffected by this issue. (Closes: #1108975)
   * CVE-2025-48367: An unauthenticated connection could have caused repeated IP
     protocol errors, leading to client starvation and ultimately become a
     Denial of Service (DoS) attack. (Closes: #1108981)
Checksums-Sha1:
 18a4842a7e7edcb2cce74bfdc44339b9599fd01f 2305 redis_7.0.15-1~deb12u5.dsc
 acb9e167a849f2e52c11c119b3f6d075a155a8db 35752 redis_7.0.15-1~deb12u5.debian.tar.xz
 47746ad01601dd8792d776b2f1cee0e48c8cfb3f 34244 redis-sentinel_7.0.15-1~deb12u5_amd64.deb
 f927d303f747c43a64d99c78b629e2967135d42c 73036 redis-server_7.0.15-1~deb12u5_amd64.deb
 734a4248e4bd09ccb1e876831488ca42e723c39c 2781548 redis-tools-dbgsym_7.0.15-1~deb12u5_amd64.deb
 58110254c908802e75aa3c5c2110e1dd10b2dc04 990064 redis-tools_7.0.15-1~deb12u5_amd64.deb
 32bfb234b609f856eb8b93752a86c79ce066861d 25188 redis_7.0.15-1~deb12u5_all.deb
 d1d314a4c5f5e2b951868e67f66f6139ad30f93b 8054 redis_7.0.15-1~deb12u5_amd64.buildinfo
Checksums-Sha256:
 3757314faf89ff571d4a4231fd37980e1eaec31077aa2ecf8d7edcefd3b7d65d 2305 redis_7.0.15-1~deb12u5.dsc
 e1702e67e26fe8635031e0bb1f4c70715ef977f305bedc49cc8638fae4605871 35752 redis_7.0.15-1~deb12u5.debian.tar.xz
 9112e1810c451d9723b6c797f702e526984ad40b14c2d5475dfb96c941c04697 34244 redis-sentinel_7.0.15-1~deb12u5_amd64.deb
 6e97c13c2af60a74e0e8bd636c04a6bc20645e2712b40ff9bf147fc43732b1e3 73036 redis-server_7.0.15-1~deb12u5_amd64.deb
 10b41e16f485d28b00f81f06302d1756329d18aa0a2a2e74f5a3ab8c5f3d8b95 2781548 redis-tools-dbgsym_7.0.15-1~deb12u5_amd64.deb
 64999150bd1227846578f80af90a4a900eab024fb004162dd120b7b70fc5a893 990064 redis-tools_7.0.15-1~deb12u5_amd64.deb
 ad610f5b96e4f96dd1808b130bd30c102c2f134e5a45f5759f543e15f2ee3d5f 25188 redis_7.0.15-1~deb12u5_all.deb
 9a4144e1da161678c66382f52799533807f75b96023a1774f4f77050c1472356 8054 redis_7.0.15-1~deb12u5_amd64.buildinfo
Files:
 30ee6f3fbd0ff5f7b44985fd7cbe59fd 2305 database optional redis_7.0.15-1~deb12u5.dsc
 c864385b8633652a2c3b8df6594db0a7 35752 database optional redis_7.0.15-1~deb12u5.debian.tar.xz
 189f7807dec379075ef1c8b89099c8ef 34244 database optional redis-sentinel_7.0.15-1~deb12u5_amd64.deb
 e478c38b1eb489df52f6c1385476a285 73036 database optional redis-server_7.0.15-1~deb12u5_amd64.deb
 6c8b52b219e7174b1e5c02f0191e174b 2781548 debug optional redis-tools-dbgsym_7.0.15-1~deb12u5_amd64.deb
 1936a64d0a30b8dd45708d3ee38ea9c3 990064 database optional redis-tools_7.0.15-1~deb12u5_amd64.deb
 1189a4b72239d7457477053ee649aee2 25188 database optional redis_7.0.15-1~deb12u5_all.deb
 2b1158a73915a7ff0cad39448d26ad92 8054 database optional redis_7.0.15-1~deb12u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmiH5uAACgkQHpU+J9Qx
Hljwdg//dPLtuOpLyK9C/fxAwUIOqQrPfplxUPyPTCEgDtxpoqJgY5wttaiIM+ye
k0m7HZA95QZjLNLCYYQDNuFTsOgCUiJTWo5YipHs/HpApuv9VohZ/eBcVrrpZ9Dq
qfQNdjZhJ5Od9ifA6ZS6UQT8XiARN5GvYl5H0tW2UndkhTqwOaR4IgEoxbmSeaw9
wUqBDqqk1kd7VCT83f8KcsIsSzvDjuJrirpNaB+HY211450IgKXLDCB34AeXH+6Q
LJfQj0lTwNo09NzHNgqVTpU+644N2IfVpjMhPEoLXqshFhHkpDyjqe86WuRXlpIr
nFZ0M502uhdCwhyk2RI+jwQojeudyeaV6D0eUQwWpsM9cOjOFYbCNjAUWiYs9mc+
FMA3N9bYwbL09FUfAkKxQeFnftrb/aaJOwD5dCFoD4mfI4As5Jij5Eh4cJkakZFi
Q/UiFVT0EOh0618pohD3cnrbEFhbX/qZOk+OrvEBxiOF8IazFKEr1wl/Y8UkqErQ
LCzsAO0TqWJEPNeaaoi7yH34JOhN8vTPGCa0bJE71UObBxcuUTVNPZQ/Ihz9RO6Q
gBgSEvpBxC+VyVnmDQ60kZ+79i1GytYu0jOmkqb+EoPMVuSihmfKGq5d/mcPn5Fv
DXIAfzslpfGAI0D4Hj2ZvafJXmaYNIhyWsIy72GlZHwrFhJDZNA=
=bTh8
-----END PGP SIGNATURE-----