Accepting request 416021 from home:AndreasStieger:branches:server:database

redis 3.2.2, also fix CVE-2013-7458 boo#991250 OBS-URL: https://build.opensuse.org/request/show/416021 OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=80
2016-07-30 10:45:11 +00:00 · 2016-07-30 10:45:11 +00:00 · 5ddd4e358b
commit 5ddd4e358b
parent 605131e7fe
5 changed files with 73 additions and 4 deletions
--- a/CVE-2013-7458.patch
+++ b/CVE-2013-7458.patch
@ -0,0 +1,47 @@
+From 71536684a788dc859e42132a2c5a2b7373414375 Mon Sep 17 00:00:00 2001
+From: antirez <antirez@gmail.com>
+Date: Fri, 29 Jul 2016 11:28:16 +0200
+Subject: [PATCH] Update linenoise to fix insecure redis-cli history file
+ creation.
+
+The problem was fixed in antirez/linenoise repository applying a patch
+contributed by @lamby. Here the new version is updated in the Redis
+source tree.
+
+Close #1418
+Close #3322
+---
+ deps/linenoise/linenoise.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/deps/linenoise/linenoise.c b/deps/linenoise/linenoise.c
+index a807d9b..fce14a7 100644
+--- a/deps/linenoise/linenoise.c
+++ b/deps/linenoise/linenoise.c
+@@ -111,6 +111,7 @@
+ #include <string.h>
+ #include <stdlib.h>
+ #include <ctype.h>
+#include <sys/stat.h>
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
+ #include <unistd.h>
+@@ -1160,10 +1161,14 @@ int linenoiseHistorySetMaxLen(int len) {
+ /* Save the history in the specified file. On success 0 is returned
+  * otherwise -1 is returned. */
+ int linenoiseHistorySave(const char *filename) {
+-    FILE *fp = fopen(filename,"w");
+    mode_t old_umask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
+    FILE *fp;
+     int j;
+ 
+    fp = fopen(filename,"w");
+    umask(old_umask);
+     if (fp == NULL) return -1;
+    chmod(filename,S_IRUSR|S_IWUSR);
+     for (j = 0; j < history_len; j++)
+         fprintf(fp,"%s\n",history[j]);
+     fclose(fp);
+-- 
+2.6.6
+
--- a/redis-3.2.1.tar.gz
+++ b/redis-3.2.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:df7bfb7b527d99981eba3912ae22703764eb19adda1357818188b22fdd09d5c9
-size 1534696
--- a/redis-3.2.2.tar.gz
+++ b/redis-3.2.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:05cf63502b2248b5d39588962100bfa4fcb47dabd56931a8cb60b301b1d8daea
+size 1541030
--- a/redis.changes
+++ b/redis.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Sat Jul 30 10:06:22 UTC 2016 - astieger@suse.com
+
+- Fix CVE-2013-7458: unsafe permissions of command line history
+  boo#991250, adding CVE-2013-7458.patch
+
+-------------------------------------------------------------------
+Sat Jul 30 09:59:59 UTC 2016 - astieger@suse.com
+
+- redis 3.2.2
+- Highlight bug fixes:
+  * Fix Redis server and Sentinel crashes
+  * Fix GEORADIUS errors in reported entries
+- New features:
+  * slaves support the slave-announce-ip and slave-announce-port
+    options.
+  * RDB check utlity is now part of Redis and uses the same RDB code
+  * redis-check-dump utility is now able to show certain information
+    about the RDB file including creating version and date.
+
 -------------------------------------------------------------------
 Wed Jun 29 12:14:42 UTC 2016 - rmaliska@suse.com

--- a/redis.spec
+++ b/redis.spec
@ -25,7 +25,7 @@
 %bcond_with    systemd
 %endif
 Name:           redis
-Version:        3.2.1
+Version:        3.2.2
 Release:        0
 Summary:        Persistent key-value database
 License:        BSD-3-Clause
@ -42,6 +42,7 @@ Patch0:         %{name}-initscript.patch
 # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines
 Patch1:         %{name}-conf.patch
 Patch2:         redis-enable-bactrace-on-x86-and-ia64-only.patch
+Patch3:         CVE-2013-7458.patch
 BuildRequires:  pkgconfig
 BuildRequires:  procps
 BuildRequires:  tcl
@ -69,6 +70,7 @@ different kind of sorting abilities.
 %patch0
 %patch1
 %patch2
+%patch3 -p1

 %build
 make %{?_smp_mflags} CFLAGS="%{optflags}" V=1