Heap Buffer Overflow may lead to potential remote code execution CVE-2023-41056

.redis.metadata

@@ -0,0 +1,2 @@
+cd8190d9289d46be2b3a30dda14ffba8a92abbc8 redis-7.0.12.tar.gz
+b2c7f2bee8e40fc6bd5385c25429fa537e2751c5 redis-doc-c7880ba.tar.gz

redis-CVE-2023-41056.patch

@@ -0,0 +1,54 @@
+From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Sun, 7 Jan 2024 12:32:44 +0200
+Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
+
+#11766 introduced a bug in sdsResize where it could forget to update
+the sds type in the sds header and then cause an overflow in sdsalloc.
+it looks like the only implication of that is a possible assertion in HLL,
+but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
+---
+ src/sds.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/src/sds.c b/src/sds.c
+index 8e5863a3ab8e..71490d5b2522 100644
+--- a/src/sds.c
++++ b/src/sds.c
+@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
+      * type. */
+     int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8));
+     size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
+-    int alloc_already_optimal = 0;
+-    #if defined(USE_JEMALLOC)
+-        /* je_nallocx returns the expected allocation size for the newlen.
+-         * We aim to avoid calling realloc() when using Jemalloc if there is no
+-         * change in the allocation size, as it incurs a cost even if the
+-         * allocation size stays the same. */
+-        alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
+-    #endif
+-
+-    if (use_realloc && !alloc_already_optimal) {
+-        newsh = s_realloc(sh, newlen);
+-        if (newsh == NULL) return NULL;
+-        s = (char*)newsh+oldhdrlen;
+-    } else if (!alloc_already_optimal) {
++
++    if (use_realloc) {
++        int alloc_already_optimal = 0;
++        #if defined(USE_JEMALLOC)
++            /* je_nallocx returns the expected allocation size for the newlen.
++             * We aim to avoid calling realloc() when using Jemalloc if there is no
++             * change in the allocation size, as it incurs a cost even if the
++             * allocation size stays the same. */
++            alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
++        #endif
++        if (!alloc_already_optimal) {
++            newsh = s_realloc(sh, newlen);
++            if (newsh == NULL) return NULL;
++            s = (char*)newsh+oldhdrlen;
++        }
++    } else {
+         newsh = s_malloc(newlen);
+         if (newsh == NULL) return NULL;
+         memcpy((char*)newsh+hdrlen, s, len);

redis.spec

@@ -23,7 +23,7 @@
 
 Name:              redis
 Version:           7.0.12
-Release:           1%{?dist}
+Release:           2%{?dist}
 Summary:           A persistent key-value database
 # redis, hiredis: BSD-3-Clause
 # hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause
@@ -48,6 +48,9 @@ Source10:          https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/
 Patch0001:         0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
 Patch0002:         0002-deps-jemalloc-Do-not-force-building-in-gnu99-mode.patch
 
+# Security patches
+Patch100:          redis-CVE-2023-41056.patch
+
 BuildRequires: make
 BuildRequires:     gcc
 %if %{with tests}
@@ -134,6 +137,7 @@ administration and development.
 mv ../%{name}-doc-%{doc_commit} doc
 %patch -P0001 -p1
 %patch -P0002 -p1
+%patch -P100  -p1
 
 mv deps/lua/COPYRIGHT    COPYRIGHT-lua
 mv deps/jemalloc/COPYING COPYING-jemalloc
@@ -302,6 +306,10 @@ fi
 
 
 %changelog
+* Tue Feb  6 2024 Remi Collet <rcollet@redhat.com> - 7.0.12-2
+- Heap Buffer Overflow may lead to potential remote code execution
+  CVE-2023-41056
+
 * Tue Jul 11 2023 Remi Collet <rcollet@redhat.com> - 7.0.12-1
 - rebase to 7.0.12 #2221899