Compare commits
2 Commits
498872976e
...
2a4788513d
Author | SHA1 | Date |
---|---|---|
Remi Collet | 2a4788513d | |
Remi Collet | 38c05066d1 |
|
@ -1,3 +1,4 @@
|
|||
redis-6.2*.gz
|
||||
/redis-7.0.11.tar.gz
|
||||
/redis-doc-c7880ba.tar.gz
|
||||
/redis-7.0.12.tar.gz
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
cd8190d9289d46be2b3a30dda14ffba8a92abbc8 redis-7.0.12.tar.gz
|
||||
b2c7f2bee8e40fc6bd5385c25429fa537e2751c5 redis-doc-c7880ba.tar.gz
|
|
@ -0,0 +1,54 @@
|
|||
From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
|
||||
From: Oran Agra <oran@redislabs.com>
|
||||
Date: Sun, 7 Jan 2024 12:32:44 +0200
|
||||
Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
|
||||
|
||||
#11766 introduced a bug in sdsResize where it could forget to update
|
||||
the sds type in the sds header and then cause an overflow in sdsalloc.
|
||||
it looks like the only implication of that is a possible assertion in HLL,
|
||||
but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
|
||||
---
|
||||
src/sds.c | 30 ++++++++++++++++--------------
|
||||
1 file changed, 16 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/sds.c b/src/sds.c
|
||||
index 8e5863a3ab8e..71490d5b2522 100644
|
||||
--- a/src/sds.c
|
||||
+++ b/src/sds.c
|
||||
@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
|
||||
* type. */
|
||||
int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8));
|
||||
size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
|
||||
- int alloc_already_optimal = 0;
|
||||
- #if defined(USE_JEMALLOC)
|
||||
- /* je_nallocx returns the expected allocation size for the newlen.
|
||||
- * We aim to avoid calling realloc() when using Jemalloc if there is no
|
||||
- * change in the allocation size, as it incurs a cost even if the
|
||||
- * allocation size stays the same. */
|
||||
- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
|
||||
- #endif
|
||||
-
|
||||
- if (use_realloc && !alloc_already_optimal) {
|
||||
- newsh = s_realloc(sh, newlen);
|
||||
- if (newsh == NULL) return NULL;
|
||||
- s = (char*)newsh+oldhdrlen;
|
||||
- } else if (!alloc_already_optimal) {
|
||||
+
|
||||
+ if (use_realloc) {
|
||||
+ int alloc_already_optimal = 0;
|
||||
+ #if defined(USE_JEMALLOC)
|
||||
+ /* je_nallocx returns the expected allocation size for the newlen.
|
||||
+ * We aim to avoid calling realloc() when using Jemalloc if there is no
|
||||
+ * change in the allocation size, as it incurs a cost even if the
|
||||
+ * allocation size stays the same. */
|
||||
+ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
|
||||
+ #endif
|
||||
+ if (!alloc_already_optimal) {
|
||||
+ newsh = s_realloc(sh, newlen);
|
||||
+ if (newsh == NULL) return NULL;
|
||||
+ s = (char*)newsh+oldhdrlen;
|
||||
+ }
|
||||
+ } else {
|
||||
newsh = s_malloc(newlen);
|
||||
if (newsh == NULL) return NULL;
|
||||
memcpy((char*)newsh+hdrlen, s, len);
|
15
redis.spec
15
redis.spec
|
@ -22,8 +22,8 @@
|
|||
%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
|
||||
|
||||
Name: redis
|
||||
Version: 7.0.11
|
||||
Release: 1%{?dist}
|
||||
Version: 7.0.12
|
||||
Release: 2%{?dist}
|
||||
Summary: A persistent key-value database
|
||||
# redis, hiredis: BSD-3-Clause
|
||||
# hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause
|
||||
|
@ -48,6 +48,9 @@ Source10: https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/
|
|||
Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
|
||||
Patch0002: 0002-deps-jemalloc-Do-not-force-building-in-gnu99-mode.patch
|
||||
|
||||
# Security patches
|
||||
Patch100: redis-CVE-2023-41056.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
%if %{with tests}
|
||||
|
@ -134,6 +137,7 @@ administration and development.
|
|||
mv ../%{name}-doc-%{doc_commit} doc
|
||||
%patch -P0001 -p1
|
||||
%patch -P0002 -p1
|
||||
%patch -P100 -p1
|
||||
|
||||
mv deps/lua/COPYRIGHT COPYRIGHT-lua
|
||||
mv deps/jemalloc/COPYING COPYING-jemalloc
|
||||
|
@ -302,6 +306,13 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Feb 6 2024 Remi Collet <rcollet@redhat.com> - 7.0.12-2
|
||||
- Heap Buffer Overflow may lead to potential remote code execution
|
||||
CVE-2023-41056
|
||||
|
||||
* Tue Jul 11 2023 Remi Collet <rcollet@redhat.com> - 7.0.12-1
|
||||
- rebase to 7.0.12 #2221899
|
||||
|
||||
* Thu May 25 2023 Remi Collet <rcollet@redhat.com> - 7.0.11-1
|
||||
- rebase to 7.0.11 for new redis:7 stream #2129826
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (redis-7.0.11.tar.gz) = 679c908b87b4e513401b49d7b87ac1cb03a29dd145dc2364afd579dd541a38feb5d65ee9b7077bb6ec96c3850812bdd475ca10d5cf92ebe52839ff1a2be89174
|
||||
SHA512 (redis-7.0.12.tar.gz) = 27ed0ab054d262028d236694f323387e3ef0e007de782545878011a7535e188152ed0af898dea4d6c0a7fa385849bbce6a0d85661780cb0e69c7d89dea3825b8
|
||||
SHA512 (redis-doc-c7880ba.tar.gz) = 9aa62207768f7bdeda398f6684eaaa6d00f51934be3762c988e4ff6232be107d98e061a9da6d62c5a38c4f69c2d13bee5f5788e02d249063acdabf8faf4a2420
|
||||
|
|
Loading…
Reference in New Issue