import redis-6.2.7-1.module+el8.7.0+15197+cc495aeb

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/redis-6.0.9.tar.gz
+SOURCES/redis-6.2.7.tar.gz
 SOURCES/redis-doc-8d4bf9b.tar.gz

.redis.metadata

@@ -1,2 +1,2 @@
-416ab41ac74be959ad4192462eecaa8ba9a6d3b7 SOURCES/redis-6.0.9.tar.gz
+b01ef3f117c9815dea41bf2609e489a03c3a5ab1 SOURCES/redis-6.2.7.tar.gz
 45ec7c3b4a034891252507febace7e25ee64b4d9 SOURCES/redis-doc-8d4bf9b.tar.gz

SOURCES/0002-install-redis-check-rdb-as-a-symlink-instead-of-dupl.patch

@@ -1,29 +0,0 @@
-From 79ed52edf84676786e5817cddb8914c5925144c7 Mon Sep 17 00:00:00 2001
-From: Remi Collet <fedora@famillecollet.com>
-Date: Fri, 9 Sep 2016 17:23:27 +0200
-Subject: [PATCH 2/3] install redis-check-rdb as a symlink instead of
- duplicating the binary
-
----
- src/Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index 2a68649..585c95b 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -307,9 +307,9 @@ install: all
- 	$(REDIS_INSTALL) $(REDIS_SERVER_NAME) $(INSTALL_BIN)
- 	$(REDIS_INSTALL) $(REDIS_BENCHMARK_NAME) $(INSTALL_BIN)
- 	$(REDIS_INSTALL) $(REDIS_CLI_NAME) $(INSTALL_BIN)
--	$(REDIS_INSTALL) $(REDIS_CHECK_RDB_NAME) $(INSTALL_BIN)
--	$(REDIS_INSTALL) $(REDIS_CHECK_AOF_NAME) $(INSTALL_BIN)
- 	@ln -sf $(REDIS_SERVER_NAME) $(INSTALL_BIN)/$(REDIS_SENTINEL_NAME)
-+	@ln -sf $(REDIS_SERVER_NAME) $(INSTALL_BIN)/$(REDIS_CHECK_RDB_NAME)
-+	@ln -sf $(REDIS_SERVER_NAME) $(INSTALL_BIN)/$(REDIS_CHECK_AOF_NAME)
- 
- uninstall:
- 	rm -f $(INSTALL_BIN)/{$(REDIS_SERVER_NAME),$(REDIS_BENCHMARK_NAME),$(REDIS_CLI_NAME),$(REDIS_CHECK_RDB_NAME),$(REDIS_CHECK_AOF_NAME),$(REDIS_SENTINEL_NAME)}
--- 
-2.24.1
-

SOURCES/redis-CVE-2021-26477.patch

@@ -1,27 +0,0 @@
-From 394614a5f91d88380f480c4610926a865b5b0f16 Mon Sep 17 00:00:00 2001
-From: Oran Agra <oran@redislabs.com>
-Date: Mon, 3 May 2021 08:32:31 +0300
-Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
-
-An integer overflow bug in Redis version 6.0 or newer could be exploited using
-the STRALGO LCS command to corrupt the heap and potentially result with remote
-code execution.
-
-(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)
----
- src/t_string.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/t_string.c b/src/t_string.c
-index 4886f7e44388..5310a297db16 100644
---- a/src/t_string.c
-+++ b/src/t_string.c
-@@ -576,7 +576,7 @@ void stralgoLCS(client *c) {
-     /* Setup an uint32_t array to store at LCS[i,j] the length of the
-      * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
-      * we index it as LCS[j+(blen+1)*j] */
--    uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
-+    uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
-     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
- 
-     /* Start building the LCS table. */

SOURCES/redis-config.patch

@@ -7,9 +7,10 @@ Revert: 90555566ed5cbd3e1c3df1293ba3bbf6098e34c3
 See discussion about this breaking change in
 https://github.com/redis/redis/issues/8051
 
---- redis-6.0.9/src/config.c	2020-10-27 08:12:01.000000000 +0100
-+++ redis-6.0.8/src/config.c	2020-09-10 13:09:00.000000000 +0200
-@@ -1568,62 +1568,60 @@
+diff -up ./src/config.c.rev ./src/config.c
+--- ./src/config.c.rev	2022-05-09 14:48:31.118296748 +0200
++++ ./src/config.c	2022-05-09 14:48:41.571163767 +0200
+@@ -1605,62 +1605,60 @@ void rewriteConfigRemoveOrphaned(struct
      dictReleaseIterator(di);
  }
  
@@ -41,39 +42,6 @@ https://github.com/redis/redis/issues/8051
 -        serverLog(LL_WARNING, "Config file full path is too long");
 -        errno = ENAMETOOLONG;
 -        return retval;
--    }
--
--#ifdef _GNU_SOURCE
--    fd = mkostemp(tmp_conffile, O_CLOEXEC);
--#else
--    /* There's a theoretical chance here to leak the FD if a module thread forks & execv in the middle */
--    fd = mkstemp(tmp_conffile);
--#endif
--
--    if (fd == -1) {
--        serverLog(LL_WARNING, "Could not create tmp config file (%s)", strerror(errno));
--        return retval;
--    }
--
--    while (offset < sdslen(content)) {
--         written_bytes = write(fd, content + offset, sdslen(content) - offset);
--         if (written_bytes <= 0) {
--             if (errno == EINTR) continue; /* FD is blocking, no other retryable errors */
--             serverLog(LL_WARNING, "Failed after writing (%zd) bytes to tmp config file (%s)", offset, strerror(errno));
--             goto cleanup;
--         }
--         offset+=written_bytes;
--    }
--
--    if (fsync(fd))
--        serverLog(LL_WARNING, "Could not sync tmp config file to disk (%s)", strerror(errno));
--    else if (fchmod(fd, 0644) == -1)
--        serverLog(LL_WARNING, "Could not chmod config file (%s)", strerror(errno));
--    else if (rename(tmp_conffile, configfile) == -1)
--        serverLog(LL_WARNING, "Could not rename tmp config file (%s)", strerror(errno));
--    else {
--        retval = 0;
--        serverLog(LL_DEBUG, "Rewritten config file (%s) successfully", configfile);
 +    int retval = 0;
 +    int fd = open(configfile,O_RDWR|O_CREAT,0644);
 +    int content_size = sdslen(content), padding = 0;
@@ -86,8 +54,18 @@ https://github.com/redis/redis/issues/8051
 +    if (fstat(fd,&sb) == -1) {
 +        close(fd);
 +        return -1; /* errno set by fstat(). */
-+    }
-+
+     }
+ 
+-#ifdef _GNU_SOURCE
+-    fd = mkostemp(tmp_conffile, O_CLOEXEC);
+-#else
+-    /* There's a theoretical chance here to leak the FD if a module thread forks & execv in the middle */
+-    fd = mkstemp(tmp_conffile);
+-#endif
+-
+-    if (fd == -1) {
+-        serverLog(LL_WARNING, "Could not create tmp config file (%s)", strerror(errno));
+-        return retval;
 +    /* 2) Pad the content at least match the old file size. */
 +    content_padded = sdsdup(content);
 +    if (content_size < sb.st_size) {
@@ -97,20 +75,38 @@ https://github.com/redis/redis/issues/8051
 +        content_padded = sdsgrowzero(content_padded,sb.st_size);
 +        content_padded[content_size] = '\n';
 +        memset(content_padded+content_size+1,'#',padding-1);
-+    }
-+
+     }
+ 
+-    while (offset < sdslen(content)) {
+-         written_bytes = write(fd, content + offset, sdslen(content) - offset);
+-         if (written_bytes <= 0) {
+-             if (errno == EINTR) continue; /* FD is blocking, no other retryable errors */
+-             serverLog(LL_WARNING, "Failed after writing (%zd) bytes to tmp config file (%s)", offset, strerror(errno));
+-             goto cleanup;
+-         }
+-         offset+=written_bytes;
 +    /* 3) Write the new content using a single write(2). */
 +    if (write(fd,content_padded,strlen(content_padded)) == -1) {
 +        retval = -1;
 +        goto cleanup;
-+    }
-+
+     }
+ 
+-    if (fsync(fd))
+-        serverLog(LL_WARNING, "Could not sync tmp config file to disk (%s)", strerror(errno));
+-    else if (fchmod(fd, 0644 & ~server.umask) == -1)
+-        serverLog(LL_WARNING, "Could not chmod config file (%s)", strerror(errno));
+-    else if (rename(tmp_conffile, configfile) == -1)
+-        serverLog(LL_WARNING, "Could not rename tmp config file (%s)", strerror(errno));
+-    else {
+-        retval = 0;
+-        serverLog(LL_DEBUG, "Rewritten config file (%s) successfully", configfile);
+-    }
 +    /* 4) Truncate the file to the right length if we used padding. */
 +    if (padding) {
 +        if (ftruncate(fd,content_size) == -1) {
 +            /* Non critical error... */
 +        }
-     }
++     }
  
  cleanup:
 +    sdsfree(content_padded);
@@ -119,4 +115,3 @@ https://github.com/redis/redis/issues/8051
      return retval;
  }
  
-

SPECS/redis.spec

@@ -19,8 +19,8 @@
 %global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
 
 Name:              redis
-Version:           6.0.9
-Release:           3%{?dist}
+Version:           6.2.7
+Release:           1%{?dist}
 Summary:           A persistent key-value database
 # redis, jemalloc, linenoise, lzf, hiredis are BSD
 # lua is MIT
@@ -46,13 +46,10 @@ Source10:          https://github.com/antirez/%{name}-doc/archive/%{doc_commit}/
 # Update configuration for Fedora
 # https://github.com/antirez/redis/pull/3491 - man pages
 Patch0001:         0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
-# https://github.com/antirez/redis/pull/3494 - symlink
-Patch0002:         0002-install-redis-check-rdb-as-a-symlink-instead-of-dupl.patch
 # revert BC break
 Patch0003:         redis-config.patch
 
 # Security patches
-Patch100:          redis-CVE-2021-26477.patch
 
 BuildRequires:     gcc
 %if %{with tests}
@@ -70,7 +67,7 @@ Requires(post):    systemd
 Requires(preun):   systemd
 Requires(postun):  systemd
 # from deps/hiredis/hiredis.h
-Provides:          bundled(hiredis) = 0.14.0
+Provides:          bundled(hiredis) = 1.0.0
 # from deps/jemalloc/VERSION
 Provides:          bundled(jemalloc) = 5.1.0
 # from deps/lua/src/lua.h
@@ -135,9 +132,7 @@ administration and development.
 %setup -q
 mv ../%{name}-doc-%{doc_commit} doc
 %patch0001 -p1
-%patch0002 -p1
-%patch0003 -p1
-%patch100  -p1 -b .cve29477
+%patch0003 -p1 -b .rev
 
 mv deps/lua/COPYRIGHT    COPYRIGHT-lua
 mv deps/jemalloc/COPYING COPYING-jemalloc
@@ -286,6 +281,25 @@ exit 0
 
 
 %changelog
+* Mon May  9 2022 Remi Collet <rcollet@redhat.com> - 6.2.7-1
+- rebase to 6.2.7 #1999873
+
+* Mon Oct 11 2021 Remi Collet <rcollet@redhat.com> - 6.0.9-5
+- fix denial of service via Redis Standard Protocol (RESP) request
+  CVE-2021-32675
+
+* Fri Oct  8 2021 Remi Collet <rcollet@redhat.com> - 6.0.9-4
+- fix lua scripts can overflow the heap-based Lua stack
+  CVE-2021-32626
+- fix integer overflow issue with Streams
+  CVE-2021-32627
+- fix integer overflow bug in the ziplist data structure
+  CVE-2021-32628
+- fix integer overflow issue with intsets
+  CVE-2021-32687
+- fix integer overflow issue with strings
+  CVE-2021-41099
+
 * Wed May 12 2021 Remi Collet <rcollet@redhat.com> - 6.0.9-3
 - fix integer overflow via STRALGO LCS command
   CVE-2021-29477