diff --git a/.abf.yml b/.abf.yml index 170d7d3..74634e1 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,2 +1,2 @@ sources: - redis-6.2.1.tar.gz: d2355d978a112a1f40e9b2e3349ebe725a15ac53 + redis-6.2.6.tar.gz: e9fb68dfcee194b438bd0af6e4cbc277a2a425e2 diff --git a/1ddecf1958924b178b76a31d989ef1e05af81964.patch b/1ddecf1958924b178b76a31d989ef1e05af81964.patch deleted file mode 100644 index ea60983..0000000 --- a/1ddecf1958924b178b76a31d989ef1e05af81964.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 1ddecf1958924b178b76a31d989ef1e05af81964 Mon Sep 17 00:00:00 2001 -From: Oran Agra -Date: Tue, 1 Jun 2021 09:12:45 +0300 -Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-32625) (#9011) - -An integer overflow bug in Redis version 6.0 or newer can be exploited using the -STRALGO LCS command to corrupt the heap and potentially result with remote code -execution. This is a result of an incomplete fix by CVE-2021-29477. ---- - src/t_string.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/src/t_string.c b/src/t_string.c -index 99843c863d42..ef1a147e01f2 100644 ---- a/src/t_string.c -+++ b/src/t_string.c -@@ -800,6 +800,12 @@ void stralgoLCS(client *c) { - goto cleanup; - } - -+ /* Detect string truncation or later overflows. */ -+ if (sdslen(a) >= UINT32_MAX-1 || sdslen(b) >= UINT32_MAX-1) { -+ addReplyError(c, "String too long for LCS"); -+ goto cleanup; -+ } -+ - /* Compute the LCS using the vanilla dynamic programming technique of - * building a table of LCS(x,y) substrings. */ - uint32_t alen = sdslen(a); -@@ -808,9 +814,19 @@ void stralgoLCS(client *c) { - /* Setup an uint32_t array to store at LCS[i,j] the length of the - * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so - * we index it as LCS[j+(blen+1)*j] */ -- uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t)); - #define LCS(A,B) lcs[(B)+((A)*(blen+1))] - -+ /* Try to allocate the LCS table, and abort on overflow or insufficient memory. */ -+ unsigned long long lcssize = (unsigned long long)(alen+1)*(blen+1); /* Can't overflow due to the size limits above. */ -+ unsigned long long lcsalloc = lcssize * sizeof(uint32_t); -+ uint32_t *lcs = NULL; -+ if (lcsalloc < SIZE_MAX && lcsalloc / lcssize == sizeof(uint32_t)) -+ lcs = ztrymalloc(lcsalloc); -+ if (!lcs) { -+ addReplyError(c, "Insufficient memory"); -+ goto cleanup; -+ } -+ - /* Start building the LCS table. */ - for (uint32_t i = 0; i <= alen; i++) { - for (uint32_t j = 0; j <= blen; j++) { diff --git a/29900d4e6bccdf3691bedf0ea9a5d84863fa3592.patch b/29900d4e6bccdf3691bedf0ea9a5d84863fa3592.patch deleted file mode 100644 index 92faedc..0000000 --- a/29900d4e6bccdf3691bedf0ea9a5d84863fa3592.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 29900d4e6bccdf3691bedf0ea9a5d84863fa3592 Mon Sep 17 00:00:00 2001 -From: Oran Agra -Date: Mon, 3 May 2021 08:27:22 +0300 -Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478) - -An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and -potentially result with remote code execution. - -The vulnerability involves changing the default set-max-intset-entries -configuration value, creating a large set key that consists of integer values -and using the COPY command to duplicate it. - -The integer overflow bug exists in all versions of Redis starting with 2.6, -where it could result with a corrupted RDB or DUMP payload, but not exploited -through COPY (which did not exist before 6.2). - -diff --git a/src/intset.c b/src/intset.c -index 74de87a..4c34f65 100644 ---- a/src/intset.c -+++ b/src/intset.c -@@ -281,7 +281,7 @@ uint32_t intsetLen(const intset *is) { - - /* Return intset blob size in bytes. */ - size_t intsetBlobLen(intset *is) { -- return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding); -+ return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding); - } - - /* Validate the integrity of the data stracture. diff --git a/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.patch b/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.patch deleted file mode 100644 index f56885b..0000000 --- a/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.patch +++ /dev/null @@ -1,25 +0,0 @@ -From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001 -From: Oran Agra -Date: Mon, 3 May 2021 08:32:31 +0300 -Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477) - -An integer overflow bug in Redis version 6.0 or newer could be exploited using -the STRALGO LCS command to corrupt the heap and potentially result with remote -code execution. ---- - src/t_string.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/t_string.c b/src/t_string.c -index 9228c5ed0408..db6f7042e5d2 100644 ---- a/src/t_string.c -+++ b/src/t_string.c -@@ -805,7 +805,7 @@ void stralgoLCS(client *c) { - /* Setup an uint32_t array to store at LCS[i,j] the length of the - * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so - * we index it as LCS[j+(blen+1)*j] */ -- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t)); -+ uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t)); - #define LCS(A,B) lcs[(B)+((A)*(blen+1))] - - /* Start building the LCS table. */ diff --git a/redis.spec b/redis.spec index 40986d0..a06275c 100644 --- a/redis.spec +++ b/redis.spec @@ -1,18 +1,12 @@ Name: redis -Version: 6.2.1 -Release: 4 +Version: 6.2.6 +Release: 1 Summary: A persistent key-value database Group: Databases License: BSD URL: http://redis.io/ Patch0: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch Patch1: 0001-redis-4.0.8-workaround-make-deadlock.patch -# CVE-2021-29477 -Patch3: f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.patch -# CVE-2021-29478 -Patch4: 29900d4e6bccdf3691bedf0ea9a5d84863fa3592.patch -# CVE-2021-32625 -Patch5: 1ddecf1958924b178b76a31d989ef1e05af81964.patch Source0: http://download.redis.io/releases/%{name}-%{version}.tar.gz Source1: redis-limit-systemd Source2: redis-sentinel.service