Merge branch 'fasttrack/2.0' into sthelkar/openIPMI

microsoft · Oct 15, 2024 · c64ed10 · c64ed10
2 parents fa66bac + ceab85e
commit c64ed10
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 2 deletions.
diff --git a/SPECS/giflib/CVE-2022-28506.patch b/SPECS/giflib/CVE-2022-28506.patch
@@ -0,0 +1,30 @@
+From 006158597ac945d1992c9411f393eb228fb9c7bc Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <[email protected]>
+Date: Fri, 11 Oct 2024 10:39:07 +0530
+Subject: [PATCH] Patch for CVE-2022-28506
+
+Upstream patch details are given below.
+https://sourceforge.net/u/mmuzila/giflib/ci/5b74cdd9c1285514eaa4675347ba3eea81d32c65/
+---
+ gif2rgb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index 9d16664..82f1130 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             GifRow = ScreenBuffer[i];
+             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
+             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
++                /* Check if color is within color palete */
++                if (GifRow[j] >= ColorMap->ColorCount)
++                {
++                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
++                }
+                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
+                 *BufferP++ = ColorMapEntry->Red;
+                 *BufferP++ = ColorMapEntry->Green;
+-- 
+2.34.1
+
diff --git a/SPECS/giflib/CVE-2023-48161.patch b/SPECS/giflib/CVE-2023-48161.patch
@@ -0,0 +1,43 @@
+From e9ed0342ff3da16c646e355c1bb8a37ab0c93240 Mon Sep 17 00:00:00 2001
+From: Bogdan Codres <[email protected]>
+Date: Fri, 8 Mar 2024 01:30:45 +0800
+Subject: [PATCH] Free Buffers from DumpScreen2RGB in error case
+
+==581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002bfc at pc 0x557cbdc9b28d bp 0x7ffde35804b0 sp 0x7ffde35804a0
+READ of size 1 at 0x602000002bfc thread T0
+    #0 0x557cbdc9b28c in DumpScreen2RGB ../../giflib-5.1.4/util/gif2rgb.c:323
+    #1 0x557cbdc9b28c in GIF2RGB ../../giflib-5.1.4/util/gif2rgb.c:480
+    #2 0x557cbdc9b28c in main ../../giflib-5.1.4/util/gif2rgb.c:538
+    #3 0x7fb09ad8214a in __libc_start_main (/lib64/libc.so.6+0x391602414a)
+    #4 0x557cbdc9bb19 in _start (/usr/bin/gif2rgb+0x5b19)
+
+0x602000002bfc is located 0 bytes to the right of 12-byte region [0x602000002bf0,0x602000002bfc)
+allocated by thread T0 here:
+    #0 0x7fb09b021138 in __interceptor_calloc (/usr/lib64/libasan.so.5+0xee138)
+    #1 0x7fb09af2ab1e in GifMakeMapObject ../../giflib-5.1.4/lib/gifalloc.c:55
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow ../../giflib-5.1.4/util/gif2rgb.c:323 in DumpScreen2RGB
+
+Signed-off-by: Bogdan Codres <[email protected]>
+---
+ util/gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index bdc861f..9916fde 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -327,6 +327,9 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             if (fwrite(Buffers[0], ScreenWidth, 1, rgbfp[0]) != 1 ||
+                 fwrite(Buffers[1], ScreenWidth, 1, rgbfp[1]) != 1 ||
+                 fwrite(Buffers[2], ScreenWidth, 1, rgbfp[2]) != 1)
++		free((char *) Buffers[0]);
++		free((char *) Buffers[1]);
++		free((char *) Buffers[2]);
+                 GIF_EXIT("Write to file(s) failed.");
+         }
+
+-- 
+2.26.1
+
+
diff --git a/SPECS/giflib/giflib.spec b/SPECS/giflib/giflib.spec
@@ -1,14 +1,16 @@
 Name:           giflib
 Summary:        A library and utilities for processing GIFs
 Version:        5.2.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            http://www.sourceforge.net/projects/giflib/
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 # Move quantize.c back into libgif.so (#1750122)
 Patch0:         giflib_quantize.patch
+Patch1:         CVE-2023-48161.patch
+Patch2:         CVE-2022-28506.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  xmlto
@@ -59,6 +61,9 @@ find %{buildroot} -name '*.a' -print -delete
 %{_mandir}/man1/*.1*
 
 %changelog
+* Fri Oct 11 2024 Suresh Thelkar <[email protected]> - 5.2.1-7
+- Patch CVE-2023-48161 and CVE-2022-28506
+
 * Mon Jul 11 2022 Olivia Crain <[email protected]> - 5.2.1-6
 - Promote to mariner-official-base repo
 - Lint spec

diff --git a/SPECS/redis/CVE-2024-31449.patch b/SPECS/redis/CVE-2024-31449.patch
@@ -0,0 +1,44 @@
+From d5bd1a0e7ba726ccd0d52a2892d2cf5f710efcaa Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <[email protected]>
+Date: Thu, 10 Oct 2024 15:42:17 +0530
+Subject: [PATCH] Patch for CVE-2024-31449
+
+Upstream patch details are given below:
+https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9
+---
+ deps/lua/src/lua_bit.c   | 1 +
+ tests/unit/scripting.tcl | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
+index 690df7d..a459ca9 100644
+--- a/deps/lua/src/lua_bit.c
++++ b/deps/lua/src/lua_bit.c
+@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L)
+   const char *hexdigits = "0123456789abcdef";
+   char buf[8];
+   int i;
++  if (n == INT32_MIN) n = INT32_MIN+1;
+   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
+   if (n > 8) n = 8;
+   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 2e3a936..4199ec8 100644
+--- a/tests/unit/scripting.tcl
++++ b/tests/unit/scripting.tcl
+@@ -528,6 +528,12 @@ start_server {tags {"scripting"}} {
+         set e
+     } {ERR*Attempt to modify a readonly table*}
+
++	test {lua bit.tohex bug} {
++        set res [r eval {return bit.tohex(65535, -2147483648)} 0]
++        r ping
++        set res
++    } {0000FFFF}
++	
+     test {Test an example script DECR_IF_GT} {
+         set decr_if_gt {
+             local current
+-- 
+2.34.1
+
diff --git a/SPECS/redis/redis.spec b/SPECS/redis/redis.spec
@@ -1,7 +1,7 @@
 Summary:        advanced key-value store
 Name:           redis
 Version:        6.2.14
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ URL:            https://redis.io/
 Source0:        https://download.redis.io/releases/%{name}-%{version}.tar.gz
 Patch0:         redis-conf.patch
 Patch1:         disable_active_defrag_big_keys.patch
+Patch2:         CVE-2024-31449.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  openssl-devel
@@ -84,6 +85,9 @@ exit 0
 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf
 
 %changelog
+* Thu Oct 10 2024 Suresh Thelkar <[email protected]> - 6.2.14-3
+- Patch for CVE-2024-31449
+
 * Fri Apr 26 2024 Mandeep Plaha <[email protected]> - 6.2.14-2
 - Build with BUILD_TLS=yes option.