From b91aeb81e4363a935a5550cf6b0d14fd21254e3d Mon Sep 17 00:00:00 2001
From: suresh-thelkar <suresh.thelkar@yahoo.com>
Date: Wed, 16 Oct 2024 00:12:16 +0530
Subject: [PATCH] Patch CVE-2024-31449 in redis (#10688)

Co-authored-by: Suresh Thelkar <sthelkar@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
(cherry picked from commit 0031a788fbdd098248f1d6f6ea165369a7ad8eba)
---
 SPECS/redis/CVE-2024-31449.patch | 44 ++++++++++++++++++++++++++++++++
 SPECS/redis/redis.spec           |  6 ++++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/redis/CVE-2024-31449.patch

diff --git a/SPECS/redis/CVE-2024-31449.patch b/SPECS/redis/CVE-2024-31449.patch
new file mode 100644
index 00000000000..b7be458ba57
--- /dev/null
+++ b/SPECS/redis/CVE-2024-31449.patch
@@ -0,0 +1,44 @@
+From d5bd1a0e7ba726ccd0d52a2892d2cf5f710efcaa Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Thu, 10 Oct 2024 15:42:17 +0530
+Subject: [PATCH] Patch for CVE-2024-31449
+
+Upstream patch details are given below:
+https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9
+---
+ deps/lua/src/lua_bit.c   | 1 +
+ tests/unit/scripting.tcl | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
+index 690df7d..a459ca9 100644
+--- a/deps/lua/src/lua_bit.c
++++ b/deps/lua/src/lua_bit.c
+@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L)
+   const char *hexdigits = "0123456789abcdef";
+   char buf[8];
+   int i;
++  if (n == INT32_MIN) n = INT32_MIN+1;
+   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
+   if (n > 8) n = 8;
+   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 2e3a936..4199ec8 100644
+--- a/tests/unit/scripting.tcl
++++ b/tests/unit/scripting.tcl
+@@ -528,6 +528,12 @@ start_server {tags {"scripting"}} {
+         set e
+     } {ERR*Attempt to modify a readonly table*}
+ 
++	test {lua bit.tohex bug} {
++        set res [r eval {return bit.tohex(65535, -2147483648)} 0]
++        r ping
++        set res
++    } {0000FFFF}
++	
+     test {Test an example script DECR_IF_GT} {
+         set decr_if_gt {
+             local current
+-- 
+2.34.1
+
diff --git a/SPECS/redis/redis.spec b/SPECS/redis/redis.spec
index 1f0a953fed2..299ea23a8ea 100644
--- a/SPECS/redis/redis.spec
+++ b/SPECS/redis/redis.spec
@@ -1,7 +1,7 @@
 Summary:        advanced key-value store
 Name:           redis
 Version:        6.2.14
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ URL:            https://redis.io/
 Source0:        https://download.redis.io/releases/%{name}-%{version}.tar.gz
 Patch0:         redis-conf.patch
 Patch1:         disable_active_defrag_big_keys.patch
+Patch2:         CVE-2024-31449.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  openssl-devel
@@ -84,6 +85,9 @@ exit 0
 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf
 
 %changelog
+* Thu Oct 10 2024 Suresh Thelkar <sthelkar@microsoft.com> - 6.2.14-3
+- Patch for CVE-2024-31449
+
 * Fri Apr 26 2024 Mandeep Plaha <mandeepplaha@microsoft.com> - 6.2.14-2
 - Build with BUILD_TLS=yes option.