import redis-5.0.3-2.module+el8.0.0.z+3657+acb471dc
This commit is contained in:
parent
941e4c10ea
commit
124a8aa736
117
SOURCES/php-CVE-2019-10192.patch
Normal file
117
SOURCES/php-CVE-2019-10192.patch
Normal file
@ -0,0 +1,117 @@
|
||||
From 9f13b2bd4967334b1701c6eccdf53760cb13f79e Mon Sep 17 00:00:00 2001
|
||||
From: John Sully <john@csquare.ca>
|
||||
Date: Thu, 14 Mar 2019 14:02:16 -0400
|
||||
Subject: [PATCH] Fix hyperloglog corruption
|
||||
|
||||
---
|
||||
src/hyperloglog.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/hyperloglog.c b/src/hyperloglog.c
|
||||
index fc21ea0065d..e993bf26e1d 100644
|
||||
--- a/src/hyperloglog.c
|
||||
+++ b/src/hyperloglog.c
|
||||
@@ -614,6 +614,10 @@ int hllSparseToDense(robj *o) {
|
||||
} else {
|
||||
runlen = HLL_SPARSE_VAL_LEN(p);
|
||||
regval = HLL_SPARSE_VAL_VALUE(p);
|
||||
+ if ((runlen + idx) > HLL_REGISTERS) {
|
||||
+ sdsfree(dense);
|
||||
+ return C_ERR;
|
||||
+ }
|
||||
while(runlen--) {
|
||||
HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
|
||||
idx++;
|
||||
@@ -1088,6 +1092,8 @@ int hllMerge(uint8_t *max, robj *hll) {
|
||||
} else {
|
||||
runlen = HLL_SPARSE_VAL_LEN(p);
|
||||
regval = HLL_SPARSE_VAL_VALUE(p);
|
||||
+ if ((runlen + i) > HLL_REGISTERS)
|
||||
+ return C_ERR;
|
||||
while(runlen--) {
|
||||
if (regval > max[i]) max[i] = regval;
|
||||
i++;
|
||||
From e216ceaf0e099536fe3658a29dcb725d812364e0 Mon Sep 17 00:00:00 2001
|
||||
From: antirez <antirez@gmail.com>
|
||||
Date: Fri, 15 Mar 2019 17:16:06 +0100
|
||||
Subject: [PATCH] HyperLogLog: handle wrong offset in the base case.
|
||||
|
||||
---
|
||||
src/hyperloglog.c | 8 ++------
|
||||
1 file changed, 2 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/hyperloglog.c b/src/hyperloglog.c
|
||||
index 526510b43b9..1e7ce3dceb7 100644
|
||||
--- a/src/hyperloglog.c
|
||||
+++ b/src/hyperloglog.c
|
||||
@@ -614,10 +614,7 @@ int hllSparseToDense(robj *o) {
|
||||
} else {
|
||||
runlen = HLL_SPARSE_VAL_LEN(p);
|
||||
regval = HLL_SPARSE_VAL_VALUE(p);
|
||||
- if ((runlen + idx) > HLL_REGISTERS) {
|
||||
- sdsfree(dense);
|
||||
- return C_ERR;
|
||||
- }
|
||||
+ if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */
|
||||
while(runlen--) {
|
||||
HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
|
||||
idx++;
|
||||
@@ -1097,8 +1094,7 @@ int hllMerge(uint8_t *max, robj *hll) {
|
||||
} else {
|
||||
runlen = HLL_SPARSE_VAL_LEN(p);
|
||||
regval = HLL_SPARSE_VAL_VALUE(p);
|
||||
- if ((runlen + i) > HLL_REGISTERS)
|
||||
- return C_ERR;
|
||||
+ if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */
|
||||
while(runlen--) {
|
||||
if (regval > max[i]) max[i] = regval;
|
||||
i++;
|
||||
From 4208666797b5831eefc022ae46ab5747200cd671 Mon Sep 17 00:00:00 2001
|
||||
From: antirez <antirez@gmail.com>
|
||||
Date: Fri, 15 Mar 2019 13:52:29 +0100
|
||||
Subject: [PATCH] HyperLogLog: dense/sparse repr parsing fuzz test.
|
||||
|
||||
---
|
||||
tests/unit/hyperloglog.tcl | 29 +++++++++++++++++++++++++++++
|
||||
1 file changed, 29 insertions(+)
|
||||
|
||||
diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl
|
||||
index 7d36b7a351f..6a9c47b11c5 100644
|
||||
--- a/tests/unit/hyperloglog.tcl
|
||||
+++ b/tests/unit/hyperloglog.tcl
|
||||
@@ -115,6 +115,35 @@ start_server {tags {"hll"}} {
|
||||
set e
|
||||
} {*WRONGTYPE*}
|
||||
|
||||
+ test {Fuzzing dense/sparse encoding: Redis should always detect errors} {
|
||||
+ for {set j 0} {$j < 10000} {incr j} {
|
||||
+ r del hll
|
||||
+ set items {}
|
||||
+ set numitems [randomInt 3000]
|
||||
+ for {set i 0} {$i < $numitems} {incr i} {
|
||||
+ lappend items [expr {rand()}]
|
||||
+ }
|
||||
+ r pfadd hll {*}$items
|
||||
+
|
||||
+ # Corrupt it in some random way.
|
||||
+ for {set i 0} {$i < 5} {incr i} {
|
||||
+ set len [r strlen hll]
|
||||
+ set pos [randomInt $len]
|
||||
+ set byte [randstring 1 1 binary]
|
||||
+ r setrange hll $pos $byte
|
||||
+ # Don't modify more bytes 50% of times
|
||||
+ if {rand() < 0.5} break
|
||||
+ }
|
||||
+
|
||||
+ # Use the hyperloglog to check if it crashes
|
||||
+ # Redis in some way.
|
||||
+ catch {
|
||||
+ r pfcount hll
|
||||
+ r pfdebug getreg hll
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
test {PFADD, PFCOUNT, PFMERGE type checking works} {
|
||||
r set foo bar
|
||||
catch {r pfadd foo 1} e
|
27
SOURCES/php-CVE-2019-10193.patch
Normal file
27
SOURCES/php-CVE-2019-10193.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From a4b90be9fcd5e1668ac941cabce3b1ab38dbe326 Mon Sep 17 00:00:00 2001
|
||||
From: antirez <antirez@gmail.com>
|
||||
Date: Fri, 15 Mar 2019 17:10:16 +0100
|
||||
Subject: [PATCH] HyperLogLog: enlarge reghisto variable for safety.
|
||||
|
||||
---
|
||||
src/hyperloglog.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/hyperloglog.c b/src/hyperloglog.c
|
||||
index e993bf26e1d..526510b43b9 100644
|
||||
--- a/src/hyperloglog.c
|
||||
+++ b/src/hyperloglog.c
|
||||
@@ -1017,7 +1017,12 @@ uint64_t hllCount(struct hllhdr *hdr, int *invalid) {
|
||||
double m = HLL_REGISTERS;
|
||||
double E;
|
||||
int j;
|
||||
- int reghisto[HLL_Q+2] = {0};
|
||||
+ /* Note that reghisto could be just HLL_Q+1, becuase this is the
|
||||
+ * maximum frequency of the "000...1" sequence the hash function is
|
||||
+ * able to return. However it is slow to check for sanity of the
|
||||
+ * input: instead we history array at a safe size: overflows will
|
||||
+ * just write data to wrong, but correctly allocated, places. */
|
||||
+ int reghisto[64] = {0};
|
||||
|
||||
/* Compute register histogram */
|
||||
if (hdr->encoding == HLL_DENSE) {
|
@ -20,7 +20,7 @@
|
||||
|
||||
Name: redis
|
||||
Version: 5.0.3
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: A persistent key-value database
|
||||
# redis, jemalloc, linenoise, lzf, hiredis are BSD
|
||||
# lua is MIT
|
||||
@ -48,6 +48,11 @@ Source10: https://github.com/antirez/%{name}-doc/archive/%{doc_commit}/
|
||||
Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
|
||||
# https://github.com/antirez/redis/pull/3494 - symlink
|
||||
Patch0002: 0002-install-redis-check-rdb-as-a-symlink-instead-of-dupl.patch
|
||||
|
||||
# Security patches
|
||||
Patch100: php-CVE-2019-10192.patch
|
||||
Patch101: php-CVE-2019-10193.patch
|
||||
|
||||
%if 0%{?with_tests}
|
||||
BuildRequires: procps-ng
|
||||
BuildRequires: tcl
|
||||
@ -124,6 +129,9 @@ mv ../%{name}-doc-%{doc_commit} doc
|
||||
%patch0001 -p1
|
||||
%patch0002 -p1
|
||||
|
||||
%patch100 -p1 -b .cve-2019-10192
|
||||
%patch101 -p1 -b .cve-2019-10193
|
||||
|
||||
mv deps/lua/COPYRIGHT COPYRIGHT-lua
|
||||
mv deps/jemalloc/COPYING COPYING-jemalloc
|
||||
mv deps/hiredis/COPYING COPYING-hiredis
|
||||
@ -268,6 +276,12 @@ exit 0
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Jul 11 2019 Remi Collet <rcollet@redhat.com> - 5.0.3-2
|
||||
- fix Heap buffer overflow in HyperLogLog triggered by malicious client
|
||||
CVE-2019-10192
|
||||
- fix Stack buffer overflow in HyperLogLog triggered by malicious client
|
||||
CVE-2019-10193
|
||||
|
||||
* Thu Dec 13 2018 Remi Collet <rcollet@redhat.com> - 5.0.3-1
|
||||
- update to 5.0.3
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user