import redis-6.0.9-3.module+el8.4.0+10984+ed187465

2021-05-19 03:14:59 -04:00 · 2021-05-19 03:14:59 -04:00 · 3690af4c88
parent 530799fc58
commit 3690af4c88
2 changed files with 34 additions and 1 deletions
--- a/SOURCES/redis-CVE-2021-26477.patch
+++ b/SOURCES/redis-CVE-2021-26477.patch
@ -0,0 +1,27 @@
+From 394614a5f91d88380f480c4610926a865b5b0f16 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Mon, 3 May 2021 08:32:31 +0300
+Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
+
+An integer overflow bug in Redis version 6.0 or newer could be exploited using
+the STRALGO LCS command to corrupt the heap and potentially result with remote
+code execution.
+
+(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)
+---
+ src/t_string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/t_string.c b/src/t_string.c
+index 4886f7e44388..5310a297db16 100644
+--- a/src/t_string.c
+++ b/src/t_string.c
+@@ -576,7 +576,7 @@ void stralgoLCS(client *c) {
+     /* Setup an uint32_t array to store at LCS[i,j] the length of the
+      * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
+      * we index it as LCS[j+(blen+1)*j] */
+-    uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
+    uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
+     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
+ 
+     /* Start building the LCS table. */
--- a/SPECS/redis.spec
+++ b/SPECS/redis.spec
@ -20,7 +20,7 @@

 Name:              redis
 Version:           6.0.9
-Release:           2%{?dist}
+Release:           3%{?dist}
 Summary:           A persistent key-value database
 # redis, jemalloc, linenoise, lzf, hiredis are BSD
 # lua is MIT
@ -52,6 +52,7 @@ Patch0002:         0002-install-redis-check-rdb-as-a-symlink-instead-of-dupl.pat
 Patch0003:         redis-config.patch

 # Security patches
+Patch100:          redis-CVE-2021-26477.patch

 BuildRequires:     gcc
 %if %{with tests}
@ -136,6 +137,7 @@ mv ../%{name}-doc-%{doc_commit} doc
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
+%patch100  -p1 -b .cve29477

 mv deps/lua/COPYRIGHT    COPYRIGHT-lua
 mv deps/jemalloc/COPYING COPYING-jemalloc
@ -284,6 +286,10 @@ exit 0


 %changelog
+* Wed May 12 2021 Remi Collet <rcollet@redhat.com> - 6.0.9-3
+- fix integer overflow via STRALGO LCS command
+  CVE-2021-29477
+
 * Tue Nov 24 2020 Remi Collet <rcollet@redhat.com> - 6.0.9-2
 - revert "simplify config rewrite file" and keep
  configuration in /etc