rebase to 8.0.4 for CVE-2025-27151 CVE-2025-48367 and CVE-2025-32023

Resolves: RHEL-103648 (cherry picked from commit c20e45b256b4ba78ed77c5bf324af0fc457e21e0)
2025-07-16 12:44:43 +02:00 · 2025-07-16 12:44:43 +02:00 · 2be3eb050d
commit 2be3eb050d
parent 8bc88779cf
4 changed files with 46 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 /valkey-7.2.6.tar.gz
 /valkey-8.0.2.tar.gz
 /valkey-8.0.3.tar.gz
+/valkey-8.0.4.tar.gz
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (valkey-8.0.3.tar.gz) = 3639855d2eced9dd1b38e95e46c515441c850b4fb087c45b2c81a15c5e864555281715fa90b47dc60260485c9469f523f1fac716b3e2114cf7e05c39833e6c96
+SHA512 (valkey-8.0.4.tar.gz) = 2e6969a2c791f39943fe31c9c6dc5432accc37212c586f891f997df6dc74c0329d9f7254c54842f8203c8427f903e016cd465747d221349396327649ffa340fb
--- a/valkey-cve-2025-27151.patch
+++ b/valkey-cve-2025-27151.patch
@ -0,0 +1,34 @@
+From 73696bf6e2cf754acc3ec24eaf9ca6b879bfc5d7 Mon Sep 17 00:00:00 2001
+From: Madelyn Olson <madelyneolson@gmail.com>
+Date: Thu, 29 May 2025 00:06:23 +0100
+Subject: [PATCH] Incorporate Redis CVE for CVE-2025-27151 (#2146)
+
+Resolves https://github.com/valkey-io/valkey/issues/2145
+
+Incorporate the CVE patch that was sent to us by Redis Ltd.
+
+---------
+
+Signed-off-by: Madelyn Olson <madelyneolson@gmail.com>
+Co-authored-by: Ping Xie <pingxie@outlook.com>
+---
+ src/valkey-check-aof.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/valkey-check-aof.c b/src/valkey-check-aof.c
+index ed0eb2b49d..a6e4b97c6d 100644
+--- a/src/valkey-check-aof.c
+++ b/src/valkey-check-aof.c
+@@ -556,6 +556,12 @@ int redis_check_aof_main(int argc, char **argv) {
+         goto invalid_args;
+     }
+ 
+    /* Check if filepath is longer than PATH_MAX */
+    if (strnlen(filepath, PATH_MAX + 1) > PATH_MAX) {
+        printf("Error: filepath is too long (exceeds PATH_MAX)\n");
+        goto invalid_args;
+    }
+
+     /* In the glibc implementation dirname may modify their argument. */
+     memcpy(temp_filepath, filepath, strlen(filepath) + 1);
+     dirpath = dirname(temp_filepath);
--- a/valkey.spec
+++ b/valkey.spec
@ -2,7 +2,7 @@
 %bcond_with tests

 Name:              valkey
-Version:           8.0.3
+Version:           8.0.4
 Release:           1%{?dist}
 Summary:           A persistent key-value database
 # valkey: BSD-3-Clause
@ -20,6 +20,8 @@ Source4:           %{name}.sysusers
 Source8:           macros.%{name}
 Source9:           migrate_redis_to_valkey.sh

+Patch1:            valkey-cve-2025-27151.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 %if %{with tests}
@ -102,7 +104,8 @@ BuildArch:         noarch


 %prep
-%autosetup -n %{name}-%{version} -p1
+%setup -qn %{name}-%{version}
+%patch -P1 -p1

 mv deps/lua/COPYRIGHT             COPYRIGHT-lua
 mv deps/jemalloc/COPYING          COPYING-jemalloc
@ -146,9 +149,11 @@ echo '# valkey-sentinel_rpm_conf' >> sentinel.conf

 %global make_flags DEBUG="" V="echo" PREFIX=%{buildroot}%{_prefix} BUILD_WITH_SYSTEMD=yes BUILD_TLS=yes

+
 %build
 %make_build %{make_flags}

+
 %install
 %make_install %{make_flags}

@ -258,6 +263,9 @@ taskset -c 1 ./runtest --clients 50 --skiptest "Active defrag - AOF loading"


 %changelog
+* Wed Jul 16 2025 Remi Collet <remi@fedoraproject.org> - 8.0.4-1
+- rebase to 8.0.4 for CVE-2025-27151 CVE-2025-48367 and CVE-2025-32023
+
 * Thu Apr 24 2025 Remi Collet <rcollet@redhat.com> - 8.0.3.1
 - rebase to 8.0.3