Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160728073234.GA8817@lorien.valinor.li>
Date: Thu, 28 Jul 2016 09:32:34 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: redis: World readable .rediscli_history

Hi

>From the Debian bug report at https://bugs.debian.org/832460:
> redis-cli stores its history in ~/.rediscli_history, this file is
> created with permissions 0644. Home folders are world readable as well
> in debian, so any user can access other users redis history, including
> AUTH commands, which include credentials.
> 
> I've contacted upstream on 2016-05-30 without any reaction at all and
> discovered this bug was first reported 3 years ago, still unfixed.
> @RedisLabs keeps referring to their paid support on twitter.
> 
> Demo: `cat /home/*/.rediscli_history`

Upstream report: https://github.com/antirez/redis/issues/3284

Could you please assign a CVE for this issue in redis?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.