-
Notifications
You must be signed in to change notification settings - Fork 563
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch CVE-2024-31449 in redis (#10688)
Co-authored-by: Suresh Thelkar <[email protected]> Co-authored-by: Pawel Winogrodzki <[email protected]>
- Loading branch information
3 people
authored
Oct 15, 2024
1 parent
2343f6b
commit 0031a78
Showing
2 changed files
with
49 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| From d5bd1a0e7ba726ccd0d52a2892d2cf5f710efcaa Mon Sep 17 00:00:00 2001 | ||
| From: Suresh Thelkar <[email protected]> | ||
| Date: Thu, 10 Oct 2024 15:42:17 +0530 | ||
| Subject: [PATCH] Patch for CVE-2024-31449 | ||
|
|
||
| Upstream patch details are given below: | ||
| https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 | ||
| --- | ||
| deps/lua/src/lua_bit.c | 1 + | ||
| tests/unit/scripting.tcl | 6 ++++++ | ||
| 2 files changed, 7 insertions(+) | ||
|
|
||
| diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c | ||
| index 690df7d..a459ca9 100644 | ||
| --- a/deps/lua/src/lua_bit.c | ||
| +++ b/deps/lua/src/lua_bit.c | ||
| @@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L) | ||
| const char *hexdigits = "0123456789abcdef"; | ||
| char buf[8]; | ||
| int i; | ||
| + if (n == INT32_MIN) n = INT32_MIN+1; | ||
| if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; } | ||
| if (n > 8) n = 8; | ||
| for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; } | ||
| diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl | ||
| index 2e3a936..4199ec8 100644 | ||
| --- a/tests/unit/scripting.tcl | ||
| +++ b/tests/unit/scripting.tcl | ||
| @@ -528,6 +528,12 @@ start_server {tags {"scripting"}} { | ||
| set e | ||
| } {ERR*Attempt to modify a readonly table*} | ||
|
|
||
| + test {lua bit.tohex bug} { | ||
| + set res [r eval {return bit.tohex(65535, -2147483648)} 0] | ||
| + r ping | ||
| + set res | ||
| + } {0000FFFF} | ||
| + | ||
| test {Test an example script DECR_IF_GT} { | ||
| set decr_if_gt { | ||
| local current | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: advanced key-value store | ||
| Name: redis | ||
| Version: 6.2.14 | ||
| Release: 2%{?dist} | ||
| Release: 3%{?dist} | ||
| License: BSD | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -10,6 +10,7 @@ URL: https://redis.io/ | |
| Source0: https://download.redis.io/releases/%{name}-%{version}.tar.gz | ||
| Patch0: redis-conf.patch | ||
| Patch1: disable_active_defrag_big_keys.patch | ||
| Patch2: CVE-2024-31449.patch | ||
| BuildRequires: gcc | ||
| BuildRequires: make | ||
| BuildRequires: openssl-devel | ||
|
|
@@ -84,6 +85,9 @@ exit 0 | |
| %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf | ||
|
|
||
| %changelog | ||
| * Thu Oct 10 2024 Suresh Thelkar <[email protected]> - 6.2.14-3 | ||
| - Patch for CVE-2024-31449 | ||
|
|
||
| * Fri Apr 26 2024 Mandeep Plaha <[email protected]> - 6.2.14-2 | ||
| - Build with BUILD_TLS=yes option. | ||
|
|
||
|
|
||