From 4514ab3fb1fdc3c42822bb3fbe5349a7bdb9b42e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= <adrian@suse.de>
Date: Thu, 28 Nov 2024 14:09:56 +0100
Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 redis revision
 c07d92329ae458596eade4ff2daef26d

---
 CVE-2024-31227.patch | 24 ++++++++++++++++++
 CVE-2024-31228.patch | 60 ++++++++++++++++++++++++++++++++++++++++++++
 CVE-2024-31449.patch | 40 +++++++++++++++++++++++++++++
 redis.changes        | 13 ++++++++++
 redis.spec           |  9 +++++++
 5 files changed, 146 insertions(+)
 create mode 100644 CVE-2024-31227.patch
 create mode 100644 CVE-2024-31228.patch
 create mode 100644 CVE-2024-31449.patch

diff --git a/CVE-2024-31227.patch b/CVE-2024-31227.patch
new file mode 100644
index 0000000..ffc0863
--- /dev/null
+++ b/CVE-2024-31227.patch
@@ -0,0 +1,24 @@
+From b351d5a3210e61cc3b22ba38a723d6da8f3c298a Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 20:01:14 +0300
+Subject: [PATCH] Fix ACL SETUSER Read/Write key pattern selector
+ (CVE-2024-31227)
+
+The '%' rule must contain one or both of R/W
+---
+ src/acl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/acl.c b/src/acl.c
+index 5fd956d2320..af58684e272 100644
+--- a/src/acl.c
++++ b/src/acl.c
+@@ -1051,7 +1051,7 @@ int ACLSetSelector(aclSelector *selector, const char* op, size_t oplen) {
+                     flags |= ACL_READ_PERMISSION;
+                 } else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) {
+                     flags |= ACL_WRITE_PERMISSION;
+-                } else if (op[offset] == '~') {
++                } else if (op[offset] == '~' && flags) {
+                     offset++;
+                     break;
+                 } else {
diff --git a/CVE-2024-31228.patch b/CVE-2024-31228.patch
new file mode 100644
index 0000000..3bfef71
--- /dev/null
+++ b/CVE-2024-31228.patch
@@ -0,0 +1,60 @@
+From c8649f8e852d1dc388b5446e003bb0eefa33d61f Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 20:11:01 +0300
+Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228)
+
+---
+ src/util.c              | 9 ++++++---
+ tests/unit/keyspace.tcl | 6 ++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index 26d92b92290..c32cbeef96a 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -54,8 +54,11 @@
+ 
+ /* Glob-style pattern matching. */
+ static int stringmatchlen_impl(const char *pattern, int patternLen,
+-        const char *string, int stringLen, int nocase, int *skipLongerMatches)
++        const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting)
+ {
++    /* Protection against abusive patterns. */
++    if (nesting > 1000) return 0;
++
+     while(patternLen && stringLen) {
+         switch(pattern[0]) {
+         case '*':
+@@ -67,7 +70,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+                 return 1; /* match */
+             while(stringLen) {
+                 if (stringmatchlen_impl(pattern+1, patternLen-1,
+-                            string, stringLen, nocase, skipLongerMatches))
++                            string, stringLen, nocase, skipLongerMatches, nesting+1))
+                     return 1; /* match */
+                 if (*skipLongerMatches)
+                     return 0; /* no match */
+@@ -189,7 +192,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+ int stringmatchlen(const char *pattern, int patternLen,
+         const char *string, int stringLen, int nocase) {
+     int skipLongerMatches = 0;
+-    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
++    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
+ }
+ 
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index 43690d06b32..b42421221cd 100644
+--- a/tests/unit/keyspace.tcl
++++ b/tests/unit/keyspace.tcl
+@@ -499,4 +499,10 @@ foreach {type large} [array get largevalue] {
+         r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
+         r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
+     } {}
++
++    test {Regression for pattern matching very long nested loops} {
++        r flushdb
++        r SET [string repeat "a" 50000] 1
++        r KEYS [string repeat "*?" 50000]
++    } {}
+ }
diff --git a/CVE-2024-31449.patch b/CVE-2024-31449.patch
new file mode 100644
index 0000000..967fd86
--- /dev/null
+++ b/CVE-2024-31449.patch
@@ -0,0 +1,40 @@
+From fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 19:54:06 +0300
+Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449)
+
+INT_MIN value must be explicitly checked, and cannot be negated.
+---
+ deps/lua/src/lua_bit.c   | 1 +
+ tests/unit/scripting.tcl | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
+index 9f83b8594b8..7e43faea47f 100644
+--- a/deps/lua/src/lua_bit.c
++++ b/deps/lua/src/lua_bit.c
+@@ -132,6 +132,7 @@ static int bit_tohex(lua_State *L)
+   const char *hexdigits = "0123456789abcdef";
+   char buf[8];
+   int i;
++  if (n == INT32_MIN) n = INT32_MIN+1;
+   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
+   if (n > 8) n = 8;
+   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 18066a10c10..635076b16b3 100644
+--- a/tests/unit/scripting.tcl
++++ b/tests/unit/scripting.tcl
+@@ -613,6 +613,12 @@ start_server {tags {"scripting"}} {
+         set e
+     } {ERR *Attempt to modify a readonly table*}
+ 
++    test {lua bit.tohex bug} {
++        set res [run_script {return bit.tohex(65535, -2147483648)} 0]
++        r ping
++        set res
++    } {0000FFFF}
++
+     test {Test an example script DECR_IF_GT} {
+         set decr_if_gt {
+             local current
diff --git a/redis.changes b/redis.changes
index 9682d3c..1600b6c 100644
--- a/redis.changes
+++ b/redis.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Oct  3 21:35:23 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Fix CVE-2024-31227, parsing issue leading to denail of service
+  (bsc#1231266)
+  * CVE-2024-31227.patch 
+- Fix CVE-2024-31228, prevent unbounded recursive pattern matching
+  (bsc#1231265)
+  * CVE-2024-31228.patch
+- Fix CVE-2024-31449, integer overflow bug in Lua bit_tohex
+  (bsc#1231264)
+  * CVE-2024-31449.patch
+
 -------------------------------------------------------------------
 Tue Jan  9 13:02:41 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
 
diff --git a/redis.spec b/redis.spec
index c4161bc..c4718f8 100644
--- a/redis.spec
+++ b/redis.spec
@@ -40,6 +40,15 @@ Source10:       https://raw.githubusercontent.com/redis/redis-hashes/master/READ
 Patch0:         %{name}-conf.patch
 Patch3:         reproducible.patch
 Patch4:         ppc-atomic.patch
+# PATCH-FIX-UPSTREAM antonio.teixeira@suse.com bsc#1231266 CVE-2024-31227
+# Fix parsing issue leading to denail of service
+Patch5:        CVE-2024-31227.patch
+# PATCH-FIX-UPSTREAM antonio.teixeira@suse.com bsc#1231265 CVE-2024-31228
+# Prevent unbounded recursive pattern matching
+Patch6:        CVE-2024-31228.patch
+# PATCH-FIX-UPSTREAM antonio.teixeira@suse.com bsc#1231264 CVE-2024-31449
+# Integer overflow bug in Lua bit_tohex
+Patch7:        CVE-2024-31449.patch
 BuildRequires:  jemalloc-devel
 BuildRequires:  libopenssl-devel >= 1.1.1
 BuildRequires:  pkgconfig