upd: 6.2.1 -> 6.2.6

.abf.yml

@@ -1,2 +1,2 @@
 sources:
-  redis-6.2.1.tar.gz: d2355d978a112a1f40e9b2e3349ebe725a15ac53
+  redis-6.2.6.tar.gz: e9fb68dfcee194b438bd0af6e4cbc277a2a425e2

1ddecf1958924b178b76a31d989ef1e05af81964.patch

@@ -1,50 +0,0 @@
-From 1ddecf1958924b178b76a31d989ef1e05af81964 Mon Sep 17 00:00:00 2001
-From: Oran Agra <oran@redislabs.com>
-Date: Tue, 1 Jun 2021 09:12:45 +0300
-Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-32625) (#9011)
-
-An integer overflow bug in Redis version 6.0 or newer can be exploited using the
-STRALGO LCS command to corrupt the heap and potentially result with remote code
-execution. This is a result of an incomplete fix by CVE-2021-29477.
----
- src/t_string.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/src/t_string.c b/src/t_string.c
-index 99843c863d42..ef1a147e01f2 100644
---- a/src/t_string.c
-+++ b/src/t_string.c
-@@ -800,6 +800,12 @@ void stralgoLCS(client *c) {
-         goto cleanup;
-     }
- 
-+    /* Detect string truncation or later overflows. */
-+    if (sdslen(a) >= UINT32_MAX-1 || sdslen(b) >= UINT32_MAX-1) {
-+        addReplyError(c, "String too long for LCS");
-+        goto cleanup;
-+    }
-+
-     /* Compute the LCS using the vanilla dynamic programming technique of
-      * building a table of LCS(x,y) substrings. */
-     uint32_t alen = sdslen(a);
-@@ -808,9 +814,19 @@ void stralgoLCS(client *c) {
-     /* Setup an uint32_t array to store at LCS[i,j] the length of the
-      * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
-      * we index it as LCS[j+(blen+1)*j] */
--    uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
-     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
- 
-+    /* Try to allocate the LCS table, and abort on overflow or insufficient memory. */
-+    unsigned long long lcssize = (unsigned long long)(alen+1)*(blen+1); /* Can't overflow due to the size limits above. */
-+    unsigned long long lcsalloc = lcssize * sizeof(uint32_t);
-+    uint32_t *lcs = NULL;
-+    if (lcsalloc < SIZE_MAX && lcsalloc / lcssize == sizeof(uint32_t))
-+        lcs = ztrymalloc(lcsalloc);
-+    if (!lcs) {
-+        addReplyError(c, "Insufficient memory");
-+        goto cleanup;
-+    }
-+
-     /* Start building the LCS table. */
-     for (uint32_t i = 0; i <= alen; i++) {
-         for (uint32_t j = 0; j <= blen; j++) {

29900d4e6bccdf3691bedf0ea9a5d84863fa3592.patch

@@ -1,29 +0,0 @@
-From 29900d4e6bccdf3691bedf0ea9a5d84863fa3592 Mon Sep 17 00:00:00 2001
-From: Oran Agra <oran@redislabs.com>
-Date: Mon, 3 May 2021 08:27:22 +0300
-Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478)
-
-An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
-potentially result with remote code execution.
-
-The vulnerability involves changing the default set-max-intset-entries
-configuration value, creating a large set key that consists of integer values
-and using the COPY command to duplicate it.
-
-The integer overflow bug exists in all versions of Redis starting with 2.6,
-where it could result with a corrupted RDB or DUMP payload, but not exploited
-through COPY (which did not exist before 6.2).
-
-diff --git a/src/intset.c b/src/intset.c
-index 74de87a..4c34f65 100644
---- a/src/intset.c
-+++ b/src/intset.c
-@@ -281,7 +281,7 @@ uint32_t intsetLen(const intset *is) {
- 
- /* Return intset blob size in bytes. */
- size_t intsetBlobLen(intset *is) {
--    return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
-+    return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
- }
- 
- /* Validate the integrity of the data stracture.

f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.patch

@@ -1,25 +0,0 @@
-From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
-From: Oran Agra <oran@redislabs.com>
-Date: Mon, 3 May 2021 08:32:31 +0300
-Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
-
-An integer overflow bug in Redis version 6.0 or newer could be exploited using
-the STRALGO LCS command to corrupt the heap and potentially result with remote
-code execution.
----
- src/t_string.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/t_string.c b/src/t_string.c
-index 9228c5ed0408..db6f7042e5d2 100644
---- a/src/t_string.c
-+++ b/src/t_string.c
-@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
-     /* Setup an uint32_t array to store at LCS[i,j] the length of the
-      * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
-      * we index it as LCS[j+(blen+1)*j] */
--    uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
-+    uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
-     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
- 
-     /* Start building the LCS table. */

redis.spec

@@ -1,18 +1,12 @@
 Name:		redis
-Version:	6.2.1
+Version:	6.2.6
-Release:	4
+Release:	1
 Summary:	A persistent key-value database
 Group:		Databases
 License:	BSD
 URL:		http://redis.io/
 Patch0:		0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
 Patch1:		0001-redis-4.0.8-workaround-make-deadlock.patch
-# CVE-2021-29477
-Patch3:		f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.patch
-# CVE-2021-29478
-Patch4:		29900d4e6bccdf3691bedf0ea9a5d84863fa3592.patch
-# CVE-2021-32625
-Patch5:		1ddecf1958924b178b76a31d989ef1e05af81964.patch
 Source0:	http://download.redis.io/releases/%{name}-%{version}.tar.gz
 Source1:	redis-limit-systemd
 Source2:	redis-sentinel.service