SHA256
1
0
forked from pool/redis

Accepting request 416021 from home:AndreasStieger:branches:server:database

redis 3.2.2, also fix CVE-2013-7458 boo#991250

OBS-URL: https://build.opensuse.org/request/show/416021
OBS-URL: https://build.opensuse.org/package/show/server:database/redis?expand=0&rev=80
This commit is contained in:
Martin Pluskal 2016-07-30 10:45:11 +00:00 committed by Git OBS Bridge
parent 6f41589cf8
commit 5761bc737c
5 changed files with 73 additions and 4 deletions

47
CVE-2013-7458.patch Normal file
View File

@ -0,0 +1,47 @@
From 71536684a788dc859e42132a2c5a2b7373414375 Mon Sep 17 00:00:00 2001
From: antirez <antirez@gmail.com>
Date: Fri, 29 Jul 2016 11:28:16 +0200
Subject: [PATCH] Update linenoise to fix insecure redis-cli history file
creation.
The problem was fixed in antirez/linenoise repository applying a patch
contributed by @lamby. Here the new version is updated in the Redis
source tree.
Close #1418
Close #3322
---
deps/linenoise/linenoise.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/deps/linenoise/linenoise.c b/deps/linenoise/linenoise.c
index a807d9b..fce14a7 100644
--- a/deps/linenoise/linenoise.c
+++ b/deps/linenoise/linenoise.c
@@ -111,6 +111,7 @@
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
+#include <sys/stat.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <unistd.h>
@@ -1160,10 +1161,14 @@ int linenoiseHistorySetMaxLen(int len) {
/* Save the history in the specified file. On success 0 is returned
* otherwise -1 is returned. */
int linenoiseHistorySave(const char *filename) {
- FILE *fp = fopen(filename,"w");
+ mode_t old_umask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
+ FILE *fp;
int j;
+ fp = fopen(filename,"w");
+ umask(old_umask);
if (fp == NULL) return -1;
+ chmod(filename,S_IRUSR|S_IWUSR);
for (j = 0; j < history_len; j++)
fprintf(fp,"%s\n",history[j]);
fclose(fp);
--
2.6.6

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:df7bfb7b527d99981eba3912ae22703764eb19adda1357818188b22fdd09d5c9
size 1534696

3
redis-3.2.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:05cf63502b2248b5d39588962100bfa4fcb47dabd56931a8cb60b301b1d8daea
size 1541030

View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Sat Jul 30 10:06:22 UTC 2016 - astieger@suse.com
- Fix CVE-2013-7458: unsafe permissions of command line history
boo#991250, adding CVE-2013-7458.patch
-------------------------------------------------------------------
Sat Jul 30 09:59:59 UTC 2016 - astieger@suse.com
- redis 3.2.2
- Highlight bug fixes:
* Fix Redis server and Sentinel crashes
* Fix GEORADIUS errors in reported entries
- New features:
* slaves support the slave-announce-ip and slave-announce-port
options.
* RDB check utlity is now part of Redis and uses the same RDB code
* redis-check-dump utility is now able to show certain information
about the RDB file including creating version and date.
-------------------------------------------------------------------
Wed Jun 29 12:14:42 UTC 2016 - rmaliska@suse.com

View File

@ -25,7 +25,7 @@
%bcond_with systemd
%endif
Name: redis
Version: 3.2.1
Version: 3.2.2
Release: 0
Summary: Persistent key-value database
License: BSD-3-Clause
@ -42,6 +42,7 @@ Patch0: %{name}-initscript.patch
# PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines
Patch1: %{name}-conf.patch
Patch2: redis-enable-bactrace-on-x86-and-ia64-only.patch
Patch3: CVE-2013-7458.patch
BuildRequires: pkgconfig
BuildRequires: procps
BuildRequires: tcl
@ -69,6 +70,7 @@ different kind of sorting abilities.
%patch0
%patch1
%patch2
%patch3 -p1
%build
make %{?_smp_mflags} CFLAGS="%{optflags}" V=1