Accepting request 1073382 from home:AndreasStieger:branches:server:database
redis 7.0.10 CVE-2023-28425 boo#1209528 OBS-URL: https://build.opensuse.org/request/show/1073382 OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=220
This commit is contained in:
parent
536e279934
commit
659d0e4677
@ -1,115 +0,0 @@
|
|||||||
From 2a2a582e7cd99ba3b531336b8bd41df2b566e619 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Oran Agra <oran@redislabs.com>
|
|
||||||
Date: Tue, 21 Feb 2023 15:16:13 +0200
|
|
||||||
Subject: [PATCH] Integer Overflow in RAND commands can lead to assertion
|
|
||||||
(CVE-2023-25155)
|
|
||||||
|
|
||||||
Issue happens when passing a negative long value that greater than
|
|
||||||
the max positive value that the long can store.
|
|
||||||
---
|
|
||||||
src/t_hash.c | 4 ++--
|
|
||||||
src/t_set.c | 2 +-
|
|
||||||
src/t_zset.c | 4 ++--
|
|
||||||
tests/unit/type/hash.tcl | 2 ++
|
|
||||||
tests/unit/type/set.tcl | 5 +++++
|
|
||||||
tests/unit/type/zset.tcl | 2 ++
|
|
||||||
6 files changed, 14 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/t_hash.c b/src/t_hash.c
|
|
||||||
index 754315080..f4ddccc62 100644
|
|
||||||
--- a/src/t_hash.c
|
|
||||||
+++ b/src/t_hash.c
|
|
||||||
@@ -1120,13 +1120,13 @@ void hrandfieldCommand(client *c) {
|
|
||||||
listpackEntry ele;
|
|
||||||
|
|
||||||
if (c->argc >= 3) {
|
|
||||||
- if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
|
|
||||||
+ if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
|
|
||||||
if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) {
|
|
||||||
addReplyErrorObject(c,shared.syntaxerr);
|
|
||||||
return;
|
|
||||||
} else if (c->argc == 4) {
|
|
||||||
withvalues = 1;
|
|
||||||
- if (l < LONG_MIN/2 || l > LONG_MAX/2) {
|
|
||||||
+ if (l < -LONG_MAX/2 || l > LONG_MAX/2) {
|
|
||||||
addReplyError(c,"value is out of range");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
diff --git a/src/t_set.c b/src/t_set.c
|
|
||||||
index b01729f0a..dff66d052 100644
|
|
||||||
--- a/src/t_set.c
|
|
||||||
+++ b/src/t_set.c
|
|
||||||
@@ -665,7 +665,7 @@ void srandmemberWithCountCommand(client *c) {
|
|
||||||
|
|
||||||
dict *d;
|
|
||||||
|
|
||||||
- if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
|
|
||||||
+ if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
|
|
||||||
if (l >= 0) {
|
|
||||||
count = (unsigned long) l;
|
|
||||||
} else {
|
|
||||||
diff --git a/src/t_zset.c b/src/t_zset.c
|
|
||||||
index 3cd2d2438..a9b5031ea 100644
|
|
||||||
--- a/src/t_zset.c
|
|
||||||
+++ b/src/t_zset.c
|
|
||||||
@@ -4289,13 +4289,13 @@ void zrandmemberCommand(client *c) {
|
|
||||||
listpackEntry ele;
|
|
||||||
|
|
||||||
if (c->argc >= 3) {
|
|
||||||
- if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
|
|
||||||
+ if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
|
|
||||||
if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) {
|
|
||||||
addReplyErrorObject(c,shared.syntaxerr);
|
|
||||||
return;
|
|
||||||
} else if (c->argc == 4) {
|
|
||||||
withscores = 1;
|
|
||||||
- if (l < LONG_MIN/2 || l > LONG_MAX/2) {
|
|
||||||
+ if (l < -LONG_MAX/2 || l > LONG_MAX/2) {
|
|
||||||
addReplyError(c,"value is out of range");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl
|
|
||||||
index fcb42e81e..4edb146ed 100644
|
|
||||||
--- a/tests/unit/type/hash.tcl
|
|
||||||
+++ b/tests/unit/type/hash.tcl
|
|
||||||
@@ -74,6 +74,8 @@ start_server {tags {"hash"}} {
|
|
||||||
test "HRANDFIELD count overflow" {
|
|
||||||
r hmset myhash a 1
|
|
||||||
assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues}
|
|
||||||
+ assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808 withvalues}
|
|
||||||
+ assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808}
|
|
||||||
} {}
|
|
||||||
|
|
||||||
test "HRANDFIELD with <count> against non existing key" {
|
|
||||||
diff --git a/tests/unit/type/set.tcl b/tests/unit/type/set.tcl
|
|
||||||
index 30b6dc5d7..5257dccea 100644
|
|
||||||
--- a/tests/unit/type/set.tcl
|
|
||||||
+++ b/tests/unit/type/set.tcl
|
|
||||||
@@ -645,6 +645,11 @@ start_server {
|
|
||||||
r srandmember nonexisting_key 100
|
|
||||||
} {}
|
|
||||||
|
|
||||||
+ test "SRANDMEMBER count overflow" {
|
|
||||||
+ r sadd myset a
|
|
||||||
+ assert_error {*value is out of range*} {r srandmember myset -9223372036854775808}
|
|
||||||
+ } {}
|
|
||||||
+
|
|
||||||
# Make sure we can distinguish between an empty array and a null response
|
|
||||||
r readraw 1
|
|
||||||
|
|
||||||
diff --git a/tests/unit/type/zset.tcl b/tests/unit/type/zset.tcl
|
|
||||||
index a758aee46..88c0bcb43 100644
|
|
||||||
--- a/tests/unit/type/zset.tcl
|
|
||||||
+++ b/tests/unit/type/zset.tcl
|
|
||||||
@@ -2303,6 +2303,8 @@ start_server {tags {"zset"}} {
|
|
||||||
test "ZRANDMEMBER count overflow" {
|
|
||||||
r zadd myzset 0 a
|
|
||||||
assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores}
|
|
||||||
+ assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808 withscores}
|
|
||||||
+ assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808}
|
|
||||||
} {}
|
|
||||||
|
|
||||||
# Make sure we can distinguish between an empty array and a null response
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
@ -1,88 +0,0 @@
|
|||||||
From 0825552565e5fdab2e87950579c4f0bedded3e3c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tom Levy <tomlevy93@gmail.com>
|
|
||||||
Date: Tue, 21 Feb 2023 15:14:30 +0200
|
|
||||||
Subject: [PATCH] String pattern matching had exponential time complexity on
|
|
||||||
pathological patterns (CVE-2022-36021)
|
|
||||||
|
|
||||||
Authenticated users can use string matching commands with a
|
|
||||||
specially crafted pattern to trigger a denial-of-service attack on Redis,
|
|
||||||
causing it to hang and consume 100% CPU time.
|
|
||||||
---
|
|
||||||
src/util.c | 27 +++++++++++++++++++++++----
|
|
||||||
tests/unit/keyspace.tcl | 6 ++++++
|
|
||||||
2 files changed, 29 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/util.c b/src/util.c
|
|
||||||
index e1524b5e3..8ce2c5fca 100644
|
|
||||||
--- a/src/util.c
|
|
||||||
+++ b/src/util.c
|
|
||||||
@@ -50,8 +50,8 @@
|
|
||||||
#include "config.h"
|
|
||||||
|
|
||||||
/* Glob-style pattern matching. */
|
|
||||||
-int stringmatchlen(const char *pattern, int patternLen,
|
|
||||||
- const char *string, int stringLen, int nocase)
|
|
||||||
+static int stringmatchlen_impl(const char *pattern, int patternLen,
|
|
||||||
+ const char *string, int stringLen, int nocase, int *skipLongerMatches)
|
|
||||||
{
|
|
||||||
while(patternLen && stringLen) {
|
|
||||||
switch(pattern[0]) {
|
|
||||||
@@ -63,12 +63,25 @@ int stringmatchlen(const char *pattern, int patternLen,
|
|
||||||
if (patternLen == 1)
|
|
||||||
return 1; /* match */
|
|
||||||
while(stringLen) {
|
|
||||||
- if (stringmatchlen(pattern+1, patternLen-1,
|
|
||||||
- string, stringLen, nocase))
|
|
||||||
+ if (stringmatchlen_impl(pattern+1, patternLen-1,
|
|
||||||
+ string, stringLen, nocase, skipLongerMatches))
|
|
||||||
return 1; /* match */
|
|
||||||
+ if (*skipLongerMatches)
|
|
||||||
+ return 0; /* no match */
|
|
||||||
string++;
|
|
||||||
stringLen--;
|
|
||||||
}
|
|
||||||
+ /* There was no match for the rest of the pattern starting
|
|
||||||
+ * from anywhere in the rest of the string. If there were
|
|
||||||
+ * any '*' earlier in the pattern, we can terminate the
|
|
||||||
+ * search early without trying to match them to longer
|
|
||||||
+ * substrings. This is because a longer match for the
|
|
||||||
+ * earlier part of the pattern would require the rest of the
|
|
||||||
+ * pattern to match starting later in the string, and we
|
|
||||||
+ * have just determined that there is no match for the rest
|
|
||||||
+ * of the pattern starting from anywhere in the current
|
|
||||||
+ * string. */
|
|
||||||
+ *skipLongerMatches = 1;
|
|
||||||
return 0; /* no match */
|
|
||||||
break;
|
|
||||||
case '?':
|
|
||||||
@@ -170,6 +183,12 @@ int stringmatchlen(const char *pattern, int patternLen,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int stringmatchlen(const char *pattern, int patternLen,
|
|
||||||
+ const char *string, int stringLen, int nocase) {
|
|
||||||
+ int skipLongerMatches = 0;
|
|
||||||
+ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int stringmatch(const char *pattern, const char *string, int nocase) {
|
|
||||||
return stringmatchlen(pattern,strlen(pattern),string,strlen(string),nocase);
|
|
||||||
}
|
|
||||||
diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
|
|
||||||
index f5f971140..437f71fa1 100644
|
|
||||||
--- a/tests/unit/keyspace.tcl
|
|
||||||
+++ b/tests/unit/keyspace.tcl
|
|
||||||
@@ -489,4 +489,10 @@ start_server {tags {"keyspace"}} {
|
|
||||||
r keys *
|
|
||||||
r keys *
|
|
||||||
} {dlskeriewrioeuwqoirueioqwrueoqwrueqw}
|
|
||||||
+
|
|
||||||
+ test {Regression for pattern matching long nested loops} {
|
|
||||||
+ r flushdb
|
|
||||||
+ r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
|
|
||||||
+ r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
|
|
||||||
+ } {}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
3
redis-7.0.10.tar.gz
Normal file
3
redis-7.0.10.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:1dee4c6487341cae7bd6432ff7590906522215a061fdef87c7d040a0cb600131
|
||||||
|
size 2986993
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:06a339e491306783dcf55b97f15a5dbcbdc01ccbde6dc23027c475cab735e914
|
|
||||||
size 2981212
|
|
@ -1,3 +1,45 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 20 21:22:02 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||||
|
|
||||||
|
- redis 7.0.10
|
||||||
|
* CVE-2023-28425: Specially crafted MSETNX command can lead to
|
||||||
|
assertion and denial-of-service (boo#1209528)
|
||||||
|
* Large blocks of replica client output buffer may lead to psync
|
||||||
|
loops and unnecessary memory usage
|
||||||
|
* Fix CLIENT REPLY OFF|SKIP to not silence push notifications
|
||||||
|
* Trim excessive memory usage in stream nodes when exceeding
|
||||||
|
`stream-node-max-bytes`
|
||||||
|
* Fix module RM_Call commands failing with OOM when maxmemory is
|
||||||
|
changed to zero
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 20 21:16:24 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||||
|
|
||||||
|
- redis 7.0.9
|
||||||
|
* CVE-2023-25155: Specially crafted SRANDMEMBER, ZRANDMEMBER, and
|
||||||
|
HRANDFIELD commands can trigger an integer overflow, resulting
|
||||||
|
in a runtime assertion and termination of the Redis server
|
||||||
|
process. Previously patched, drop
|
||||||
|
Integer-Overflow-in-RAND-commands-can-lead-to-assert.patch
|
||||||
|
* CVE-2022-36021: String matching commands (like SCAN or KEYS)
|
||||||
|
with a specially crafted pattern to trigger a denial-of-service
|
||||||
|
attack on Redis, causing it to hang and consume 100% CPU time.
|
||||||
|
Previously upatched, drop
|
||||||
|
String-pattern-matching-had-exponential-time-complex.patch
|
||||||
|
* Fix a crash when reaching the maximum invalidations limit of
|
||||||
|
client-side tracking
|
||||||
|
* Fix a crash when SPUBLISH is used after passing the
|
||||||
|
cluster-link-sendbuf-limit
|
||||||
|
* Fix possible memory corruption in FLUSHALL when a client
|
||||||
|
watches more than one key
|
||||||
|
* Fix cluster inbound link keepalive time
|
||||||
|
* Flush propagation list in active-expire of writable replicas to
|
||||||
|
fix an assertion
|
||||||
|
* Avoid propagating DEL of lazy expire from SCAN and RANDOMKEY as
|
||||||
|
MULTI-EXEC
|
||||||
|
* Avoid realloc to reduce size of strings when it is unneeded
|
||||||
|
* Improve CLUSTER SLOTS reply efficiency for non-continuous slots
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Mar 1 16:29:28 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>
|
Wed Mar 1 16:29:28 UTC 2023 - Valentin Lefebvre <valentin.lefebvre@suse.com>
|
||||||
|
|
||||||
|
@ -148,3 +148,9 @@ hash redis-7.0.6.tar.gz sha256 7b33a7e890d13e27af1f246acb16312669ad8a1d56ce8f807
|
|||||||
hash redis-7.0.7.tar.gz sha256 8d327d7e887d1bb308fc37aaf717a0bf79f58129e3739069aaeeae88955ac586 http://download.redis.io/releases/redis-7.0.7.tar.gz
|
hash redis-7.0.7.tar.gz sha256 8d327d7e887d1bb308fc37aaf717a0bf79f58129e3739069aaeeae88955ac586 http://download.redis.io/releases/redis-7.0.7.tar.gz
|
||||||
hash redis-7.0.8.tar.gz sha256 06a339e491306783dcf55b97f15a5dbcbdc01ccbde6dc23027c475cab735e914 http://download.redis.io/releases/redis-7.0.8.tar.gz
|
hash redis-7.0.8.tar.gz sha256 06a339e491306783dcf55b97f15a5dbcbdc01ccbde6dc23027c475cab735e914 http://download.redis.io/releases/redis-7.0.8.tar.gz
|
||||||
hash redis-6.2.9.tar.gz sha256 9661b2c6b1cc9bf2999471b37a4d759fa5e747d408142c18af8792ebd8384a2a http://download.redis.io/releases/redis-6.2.9.tar.gz
|
hash redis-6.2.9.tar.gz sha256 9661b2c6b1cc9bf2999471b37a4d759fa5e747d408142c18af8792ebd8384a2a http://download.redis.io/releases/redis-6.2.9.tar.gz
|
||||||
|
hash redis-6.0.17.tar.gz sha256 ad50bf7c6bf98d7bf3c626bdd5588368f52c82c8d41869cca024455f651e7bfc http://download.redis.io/releases/redis-6.0.17.tar.gz
|
||||||
|
hash redis-6.2.10.tar.gz sha256 22684f66d272379b91e3e53693918b535e2a6e54b9d14e1cad171658e0eefeca http://download.redis.io/releases/redis-6.2.10.tar.gz
|
||||||
|
hash redis-6.0.18.tar.gz sha256 d7b4f2a97fcab96727284092b0a4aa854af47d570803fa0e7a0345359743836e http://download.redis.io/releases/redis-6.0.18.tar.gz
|
||||||
|
hash redis-6.2.11.tar.gz sha256 8c75fb9cdd01849e92c23f30cb7fe205ea0032a38d11d46af191014e9acc3098 http://download.redis.io/releases/redis-6.2.11.tar.gz
|
||||||
|
hash redis-7.0.9.tar.gz sha256 f77135c2a47c9151d4028bfea3b34470ab4d324d1484f79a84c6f32a3cfb9f65 http://download.redis.io/releases/redis-7.0.9.tar.gz
|
||||||
|
hash redis-7.0.10.tar.gz sha256 1dee4c6487341cae7bd6432ff7590906522215a061fdef87c7d040a0cb600131 http://download.redis.io/releases/redis-7.0.10.tar.gz
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
%define _log_dir %{_localstatedir}/log/%{name}
|
%define _log_dir %{_localstatedir}/log/%{name}
|
||||||
%define _conf_dir %{_sysconfdir}/%{name}
|
%define _conf_dir %{_sysconfdir}/%{name}
|
||||||
Name: redis
|
Name: redis
|
||||||
Version: 7.0.8
|
Version: 7.0.10
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Persistent key-value database
|
Summary: Persistent key-value database
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
@ -40,10 +40,6 @@ Source10: https://raw.githubusercontent.com/redis/redis-hashes/master/READ
|
|||||||
Patch0: %{name}-conf.patch
|
Patch0: %{name}-conf.patch
|
||||||
Patch3: reproducible.patch
|
Patch3: reproducible.patch
|
||||||
Patch4: ppc-atomic.patch
|
Patch4: ppc-atomic.patch
|
||||||
# PATCH-FIX-UPSTREAM -- based on commit 0825552 (bsc#1208790 CVE-2022-36021)
|
|
||||||
Patch5: String-pattern-matching-had-exponential-time-complex.patch
|
|
||||||
# PATCH-FIX-UPSTREAM -- based on commit 2a2a582 (bsc#1208793 CVE-2023-25155)
|
|
||||||
Patch6: Integer-Overflow-in-RAND-commands-can-lead-to-assert.patch
|
|
||||||
BuildRequires: jemalloc-devel
|
BuildRequires: jemalloc-devel
|
||||||
BuildRequires: libopenssl-devel >= 1.1.1
|
BuildRequires: libopenssl-devel >= 1.1.1
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
@ -71,8 +67,6 @@ echo "`grep -F %{name}-%{version}.tar.gz %{SOURCE10} | cut -d' ' -f4` %{SOURCE0
|
|||||||
%patch0
|
%patch0
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
|
||||||
%patch6 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export HOST=OBS # for reproducible builds
|
export HOST=OBS # for reproducible builds
|
||||||
|
Loading…
Reference in New Issue
Block a user