Skip to content
Snippets Groups Projects
Commit 93b61712 authored by achill (fossdd)'s avatar achill (fossdd) Committed by Natanael Copa
Browse files

community/redis: security upgrade to 7.2.7

https://github.com/redis/redis/releases/tag/7.2.6

https://github.com/redis/redis/releases/tag/7.2.7

- CVE-2024-46981
- CVE-2024-51741
parent ff50efba
No related branches found
No related tags found
1 merge request!78190[3.21] */{redis,redict,valkey}: patch CVE-2024-46981 & CVE-2024-51741
......@@ -4,8 +4,8 @@
# Maintainer: fossdd <fossdd@pwned.life>
pkgname=redis
# CAUTION: Do not upgrade to 7.3+ (non-free license).
pkgver=7.2.5
pkgrel=2
pkgver=7.2.7
pkgrel=0
pkgdesc="Advanced key-value store"
url="https://redis.io/"
arch="all"
......@@ -23,12 +23,12 @@ source="https://download.redis.io/releases/redis-$pkgver.tar.gz
$pkgname.confd
$pkgname-sentinel.initd
$pkgname.logrotate
CVE-2024-31227.patch
CVE-2024-31228.patch
CVE-2024-31449.patch
"
# secfixes:
# 7.2.7-r0:
# - CVE-2024-46981
# - CVE-2024-51741
# 7.2.5-r1:
# - CVE-2024-31227
# - CVE-2024-31228
......@@ -111,14 +111,11 @@ package() {
}
sha512sums="
e064a0f380e3a00ab8eb2f10ed7317fd6aa27d64cf00792fab80465036f92d17b166050e71b8a779fdf024528ac736cb54722316811f99951c4e386f4ab2245d redis-7.2.5.tar.gz
daac985fe987ae5bf0067288b45767dded259e6872a307ed3ee12a45e58470d24485cadc270cd46ebe1009d312a8d8b799c19b14c8db246839a2a66285001b17 redis-7.2.7.tar.gz
7725486329f2aba8fe03a768f6d8ab78cc96ab6f2ca403af56c252ef7978f7628b580587b372969ca5dd6257780ef58571ce6dc5aca468c3b2a299033b41047f redis.conf.patch
a5dc411c2bd7edf61400e29accb375275dd888fda72a8f7e3889be475010c695a22f536be818ef9441e47285c00b451966db924362a7f56806586078c9e3ff8c sentinel.conf.patch
f6dcdad1edd6b5fb6aa28ba774bfc8aba035f316695da261fb2ad291b76f00f177479f9d74434d06c26bd15f131edc9a2f55c9880758cf0987800d2031069738 redis.initd
6752e99df632b14d62a3266929e80c3d667be5c270e4f34e0dcf2b7f9b1754fe0ce9d4569fa413dbbe207e406ff2848a64e0c47629997536ae1d14ca84ebd56b redis.confd
e7a60a090df53eef05d58d73709f07536135a93efb34e48ad933e3859d3d1c0f476975a3232df18f57476bf7fc3b0548471e1c86445878457ac8507b3da71384 redis-sentinel.initd
bf2def2077a989047e9bfff8a7f754bcdf96e020fd4a470f8967ee1fca601e11f044cfb3742f00e932cc013e0d0b199045d78c8878a0e529715c9f77786d353f redis.logrotate
98cb809e2828e470c490225df15f8634ff6e604daea40bae49732d6dfb9822a57a0e23ae0f00ba31d9bf2e4fdbe3e07e82e7fbc9abcb4e8df2f4f6f0f8f7447f CVE-2024-31227.patch
0a40406526f4949a578931dc42978da9a56cf9754d64f12b5cfc1edd0f6ff876217930038bdcdd328b3ad582985a539f5624ae82106adc7ee5082e53f1521a3b CVE-2024-31228.patch
a320ab06edb88c7268f9c04218c13495b4862f82a90334d157b9d659b123ffff24e46f9cbcbcf139d0a66db3187d08f7dbc6cd20f55e9a0c634000016b61df4b CVE-2024-31449.patch
"
From e035e7b763265abb32957a4c3298defbde75fcd4 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Mon, 16 Sep 2024 08:54:30 +0200
Subject: [PATCH 1/3] ACL: Fix parsing issue leading to denail of service
Fix for CVE-2024-31227
This patch was provided to us by Valkey, who received it from Redis Ltd.
> An authenticated user with sufficient privileges may create a
> malformed ACL selector which, when accessed, triggers a server panic
> and subsequent denial of service.
Fixes: https://codeberg.org/redict/redict/issues/54
Signed-off-by: Drew DeVault <sir@cmpwn.com>
---
src/acl.c | 2 +-
tests/unit/acl-v2.tcl | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/acl.c b/src/acl.c
index 768176e7e..6eb6c4bcf 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -1073,7 +1073,7 @@ int ACLSetSelector(aclSelector *selector, const char* op, size_t oplen) {
flags |= ACL_READ_PERMISSION;
} else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) {
flags |= ACL_WRITE_PERMISSION;
- } else if (op[offset] == '~') {
+ } else if (op[offset] == '~' && flags) {
offset++;
break;
} else {
diff --git a/tests/unit/acl-v2.tcl b/tests/unit/acl-v2.tcl
index 210fe93b5..3e6d88f6f 100644
--- a/tests/unit/acl-v2.tcl
+++ b/tests/unit/acl-v2.tcl
@@ -122,6 +122,11 @@ start_server {tags {"acl external:skip"}} {
assert_match "*NOPERM*key*" $err
}
+ test {Validate read and write permissions format} {
+ catch {r ACL SETUSER key-permission-RW %~} err
+ set err
+ } {ERR Error in ACL SETUSER modifier '%~': Syntax error}
+
test {Test separate read and write permissions on different selectors are not additive} {
r ACL SETUSER key-permission-RW-selector on nopass "(%R~read* +@all)" "(%W~write* +@all)"
$r2 auth key-permission-RW-selector password
--
2.46.0
From a8edd3f6ac286884d15c7228f1a33f8a950f5288 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Mon, 16 Sep 2024 09:08:35 +0200
Subject: [PATCH 3/3] Prevent unbounded recursive pattern matching
Fix for CVE-2024-31228
This patch was provided to us by Valkey, who received it from Redis Ltd.
> Authenticated users can trigger a denial-of-service by using specially
> crafted, long string match patterns on supported commands such as
> KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST and ACL
> definitions. Matching of extremely long patterns may result in
> unbounded recursion, leading to stack overflow and process crash.
Fixes https://codeberg.org/redict/redict/issues/56
Signed-off-by: Drew DeVault <sir@cmpwn.com>
---
src/util.c | 9 ++++++---
tests/unit/keyspace.tcl | 6 ++++++
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/util.c b/src/util.c
index eb6cd650c..942d9969f 100644
--- a/src/util.c
+++ b/src/util.c
@@ -33,8 +33,11 @@
/* Glob-style pattern matching. */
static int stringmatchlen_impl(const char *pattern, int patternLen,
- const char *string, int stringLen, int nocase, int *skipLongerMatches)
+ const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting)
{
+ /* Protection against abusive patterns. */
+ if (nesting > 1000) return 0;
+
while(patternLen && stringLen) {
switch(pattern[0]) {
case '*':
@@ -46,7 +49,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
return 1; /* match */
while(stringLen) {
if (stringmatchlen_impl(pattern+1, patternLen-1,
- string, stringLen, nocase, skipLongerMatches))
+ string, stringLen, nocase, skipLongerMatches, nesting+1))
return 1; /* match */
if (*skipLongerMatches)
return 0; /* no match */
@@ -168,7 +171,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
int stringmatchlen(const char *pattern, int patternLen,
const char *string, int stringLen, int nocase) {
int skipLongerMatches = 0;
- return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
+ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
}
int stringmatch(const char *pattern, const char *string, int nocase) {
diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
index 43690d0..4d7aca4 100644
--- a/tests/unit/keyspace.tcl
+++ b/tests/unit/keyspace.tcl
@@ -499,4 +499,10 @@ foreach {type large} [array get largevalue] {
r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
} {}
+
+ test {Regression for pattern matching very long nested loops} {
+ r flushdb
+ r SET [string repeat "a" 50000] 1
+ r KEYS [string repeat "*?" 50000]
+ } {}
}
--
2.46.0
From c09bc5df7977aef8dba59d6c44e971fe711a71a0 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Mon, 16 Sep 2024 09:06:20 +0200
Subject: [PATCH 2/3] Fix integer overflow bug in Lua bit_tohex
Fix for CVE-2024-31449
This patch was provided to us by Valkey, who received it from Redis Ltd.
> An authenticated user may use a specially crafted Lua script to
> trigger a stack buffer overflow in the bit library, which may
> potentially lead to remote code execution.
Fixes: https://codeberg.org/redict/redict/issues/55
Signed-off-by: Drew DeVault <sir@cmpwn.com>
---
deps/lua/src/lua_bit.c | 1 +
tests/unit/scripting.tcl | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
index 9f83b8594..7e43faea4 100644
--- a/deps/lua/src/lua_bit.c
+++ b/deps/lua/src/lua_bit.c
@@ -132,6 +132,7 @@ static int bit_tohex(lua_State *L)
const char *hexdigits = "0123456789abcdef";
char buf[8];
int i;
+ if (n == INT32_MIN) n = INT32_MIN+1;
if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
if (n > 8) n = 8;
for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
index 87a1e5656..0b4846908 100644
--- a/tests/unit/scripting.tcl
+++ b/tests/unit/scripting.tcl
@@ -699,6 +699,12 @@ start_server {tags {"scripting"}} {
set e
} {ERR *Attempt to modify a readonly table*}
+ test {lua bit.tohex bug} {
+ set res [run_script {return bit.tohex(65535, -2147483648)} 0]
+ r ping
+ set res
+ } {0000FFFF}
+
test {Test an example script DECR_IF_GT} {
set decr_if_gt {
local current
--
2.46.0
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment