Bugzilla – Bug 798455
VUL-1: redis: CVE-2013-0178, CVE-2013-0180: Two insecure temporary file use flaws
Last modified: 2020-11-11 14:35:58 UTC
Date: Mon, 14 Jan 2013 11:08:39 -0500 (EST)
From: Jan Lieskovsky
Hello Kurt, Steve, vendors,
Michael Scherer in the following Red Hat bugzilla:
pointed out, Redis, a persistent key-value database of version 2.4
to be prone to temporary file use in src/redis.c:
server.vm_swap_file = zstrdup("/tmp/redis-%p.vm");
Note: This problem was fix by the patch  below.
When searching for a patch, that corrected the issue 
above, found out it was patch
 https://github.com/antirez/redis/commit/697af434fbeb2e3ba2ba9687cd283ed1a2734fa5 ,
but it also introduced another insecure temporary flaw in
776 + server.ds_path = zstrdup("/tmp/redis.ds");
Note: Issue #2 is also fixed in recent upstream 2.6.7 / 2.6.8
versions. If you want me to find exact patch, which
corrected the second problem, let me know and i will
provide the commit id.
Could you allocate (two) CVE ids for these issues?
Thank you && Regards, Jan.
A fix in Factory probably suffices, due to low impact.
Pavol ... the rule is who ever submits my packages without asking to factory becomes maintainer. If I wanted the package in factory, I would have submitted it.
bugbot adjusting priority
As you said factory only. done.
This is an autogenerated message for OBS integration:
This bug (798455) was mentioned in
https://build.opensuse.org/request/show/149531 Factory / redis
openSUSE-OU-2016:1376-1: An update that has two optional fixes can now be installed.
Category: optional (low)
Bug References: 798455,835815
SUSE Package Hub for SUSE Linux Enterprise 12 (src): redis-3.0.7-2.1
SUSE-OU-2020:3291-1: An update that solves 7 vulnerabilities, contains four features and has two fixes is now available.
Category: optional (moderate)
Bug References: 1002351,1047218,1061967,1064980,1097430,1131555,798455,835815,991250
CVE References: CVE-2013-7458,CVE-2015-8080,CVE-2016-10517,CVE-2016-8339,CVE-2017-15047,CVE-2018-11218,CVE-2018-11219
JIRA References: ECO-2417,ECO-2867,SLE-11578,SLE-12821
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): redis-6.0.8-1.3.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.