diff --git a/CVE-2013-7458.patch b/CVE-2013-7458.patch new file mode 100644 index 0000000..bd98d18 --- /dev/null +++ b/CVE-2013-7458.patch @@ -0,0 +1,47 @@ +From 71536684a788dc859e42132a2c5a2b7373414375 Mon Sep 17 00:00:00 2001 +From: antirez +Date: Fri, 29 Jul 2016 11:28:16 +0200 +Subject: [PATCH] Update linenoise to fix insecure redis-cli history file + creation. + +The problem was fixed in antirez/linenoise repository applying a patch +contributed by @lamby. Here the new version is updated in the Redis +source tree. + +Close #1418 +Close #3322 +--- + deps/linenoise/linenoise.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/deps/linenoise/linenoise.c b/deps/linenoise/linenoise.c +index a807d9b..fce14a7 100644 +--- a/deps/linenoise/linenoise.c ++++ b/deps/linenoise/linenoise.c +@@ -111,6 +111,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1160,10 +1161,14 @@ int linenoiseHistorySetMaxLen(int len) { + /* Save the history in the specified file. On success 0 is returned + * otherwise -1 is returned. */ + int linenoiseHistorySave(const char *filename) { +- FILE *fp = fopen(filename,"w"); ++ mode_t old_umask = umask(S_IXUSR|S_IRWXG|S_IRWXO); ++ FILE *fp; + int j; + ++ fp = fopen(filename,"w"); ++ umask(old_umask); + if (fp == NULL) return -1; ++ chmod(filename,S_IRUSR|S_IWUSR); + for (j = 0; j < history_len; j++) + fprintf(fp,"%s\n",history[j]); + fclose(fp); +-- +2.6.6 + diff --git a/redis-3.2.1.tar.gz b/redis-3.2.1.tar.gz deleted file mode 100644 index 33ed54d..0000000 --- a/redis-3.2.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:df7bfb7b527d99981eba3912ae22703764eb19adda1357818188b22fdd09d5c9 -size 1534696 diff --git a/redis-3.2.2.tar.gz b/redis-3.2.2.tar.gz new file mode 100644 index 0000000..c34c7c8 --- /dev/null +++ b/redis-3.2.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:05cf63502b2248b5d39588962100bfa4fcb47dabd56931a8cb60b301b1d8daea +size 1541030 diff --git a/redis.changes b/redis.changes index a685a44..31bc75f 100644 --- a/redis.changes +++ b/redis.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Sat Jul 30 10:06:22 UTC 2016 - astieger@suse.com + +- Fix CVE-2013-7458: unsafe permissions of command line history + boo#991250, adding CVE-2013-7458.patch + +------------------------------------------------------------------- +Sat Jul 30 09:59:59 UTC 2016 - astieger@suse.com + +- redis 3.2.2 +- Highlight bug fixes: + * Fix Redis server and Sentinel crashes + * Fix GEORADIUS errors in reported entries +- New features: + * slaves support the slave-announce-ip and slave-announce-port + options. + * RDB check utlity is now part of Redis and uses the same RDB code + * redis-check-dump utility is now able to show certain information + about the RDB file including creating version and date. + ------------------------------------------------------------------- Wed Jun 29 12:14:42 UTC 2016 - rmaliska@suse.com diff --git a/redis.spec b/redis.spec index 77e77a1..0007479 100644 --- a/redis.spec +++ b/redis.spec @@ -25,7 +25,7 @@ %bcond_with systemd %endif Name: redis -Version: 3.2.1 +Version: 3.2.2 Release: 0 Summary: Persistent key-value database License: BSD-3-Clause @@ -42,6 +42,7 @@ Patch0: %{name}-initscript.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch1: %{name}-conf.patch Patch2: redis-enable-bactrace-on-x86-and-ia64-only.patch +Patch3: CVE-2013-7458.patch BuildRequires: pkgconfig BuildRequires: procps BuildRequires: tcl @@ -69,6 +70,7 @@ different kind of sorting abilities. %patch0 %patch1 %patch2 +%patch3 -p1 %build make %{?_smp_mflags} CFLAGS="%{optflags}" V=1