diff --git a/SOURCES/redis-CVE-2023-41056.patch b/SOURCES/redis-CVE-2023-41056.patch new file mode 100644 index 0000000..a8cc6a4 --- /dev/null +++ b/SOURCES/redis-CVE-2023-41056.patch @@ -0,0 +1,54 @@ +From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Sun, 7 Jan 2024 12:32:44 +0200 +Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056) + +#11766 introduced a bug in sdsResize where it could forget to update +the sds type in the sds header and then cause an overflow in sdsalloc. +it looks like the only implication of that is a possible assertion in HLL, +but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer +--- + src/sds.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/src/sds.c b/src/sds.c +index 8e5863a3ab8e..71490d5b2522 100644 +--- a/src/sds.c ++++ b/src/sds.c +@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) { + * type. */ + int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8)); + size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1; +- int alloc_already_optimal = 0; +- #if defined(USE_JEMALLOC) +- /* je_nallocx returns the expected allocation size for the newlen. +- * We aim to avoid calling realloc() when using Jemalloc if there is no +- * change in the allocation size, as it incurs a cost even if the +- * allocation size stays the same. */ +- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh)); +- #endif +- +- if (use_realloc && !alloc_already_optimal) { +- newsh = s_realloc(sh, newlen); +- if (newsh == NULL) return NULL; +- s = (char*)newsh+oldhdrlen; +- } else if (!alloc_already_optimal) { ++ ++ if (use_realloc) { ++ int alloc_already_optimal = 0; ++ #if defined(USE_JEMALLOC) ++ /* je_nallocx returns the expected allocation size for the newlen. ++ * We aim to avoid calling realloc() when using Jemalloc if there is no ++ * change in the allocation size, as it incurs a cost even if the ++ * allocation size stays the same. */ ++ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh)); ++ #endif ++ if (!alloc_already_optimal) { ++ newsh = s_realloc(sh, newlen); ++ if (newsh == NULL) return NULL; ++ s = (char*)newsh+oldhdrlen; ++ } ++ } else { + newsh = s_malloc(newlen); + if (newsh == NULL) return NULL; + memcpy((char*)newsh+hdrlen, s, len); diff --git a/SPECS/redis.spec b/SPECS/redis.spec index 26d37b8..63bef2b 100644 --- a/SPECS/redis.spec +++ b/SPECS/redis.spec @@ -23,7 +23,7 @@ Name: redis Version: 7.0.12 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A persistent key-value database # redis, hiredis: BSD-3-Clause # hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause @@ -48,6 +48,9 @@ Source10: https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/ Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch Patch0002: 0002-deps-jemalloc-Do-not-force-building-in-gnu99-mode.patch +# Security patches +Patch100: redis-CVE-2023-41056.patch + BuildRequires: make BuildRequires: gcc %if %{with tests} @@ -134,6 +137,7 @@ administration and development. mv ../%{name}-doc-%{doc_commit} doc %patch -P0001 -p1 %patch -P0002 -p1 +%patch -P100 -p1 mv deps/lua/COPYRIGHT COPYRIGHT-lua mv deps/jemalloc/COPYING COPYING-jemalloc @@ -302,6 +306,10 @@ fi %changelog +* Tue Feb 6 2024 Remi Collet - 7.0.12-2 +- Heap Buffer Overflow may lead to potential remote code execution + CVE-2023-41056 + * Tue Jul 11 2023 Remi Collet - 7.0.12-1 - rebase to 7.0.12 #2221899