!113 [sync] PR-112: Fix CVE-2023-45145,CVE-2024-31228 and CVE-2024-31449

From: @openeuler-sync-bot Reviewed-by: @wang--ge Signed-off-by: @wang--ge
2024-10-16 02:12:40 +00:00 · 2024-10-16 02:12:40 +00:00 · facc01d9b1
commit facc01d9b1
parent 719b085193 6f8341aa15
4 changed files with 182 additions and 1 deletions
--- a/CVE-2023-45145.patch
+++ b/CVE-2023-45145.patch
@ -0,0 +1,66 @@
+From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001
+From: Yossi Gottlieb <yossigo@gmail.com>
+Date: Wed, 11 Oct 2023 22:45:34 +0300
+Subject: [PATCH] Fix issue of listen before chmod on Unix sockets
+ (CVE-2023-45145)
+
+Before this commit, Unix socket setup performed chmod(2) on the socket
+file after calling listen(2). Depending on what umask is used, this
+could leave the file with the wrong permissions for a short period of
+time. As a result, another process could exploit this race condition and
+establish a connection that would otherwise not be possible.
+
+We now make sure the socket permissions are set up prior to calling
+listen(2).
+
+(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42)
+---
+ src/anet.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/anet.c b/src/anet.c
+index dc88eb7..d0db80f 100644
+--- a/src/anet.c
+++ b/src/anet.c
+@@ -437,13 +437,16 @@ int anetWrite(int fd, char *buf, int count)
+     return totlen;
+ }
+ 
+-static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) {
+static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) {
+     if (bind(s,sa,len) == -1) {
+         anetSetError(err, "bind: %s", strerror(errno));
+         close(s);
+         return ANET_ERR;
+     }
+ 
+    if (sa->sa_family == AF_LOCAL && perm)
+        chmod(((struct sockaddr_un *) sa)->sun_path, perm);
+
+     if (listen(s, backlog) == -1) {
+         anetSetError(err, "listen: %s", strerror(errno));
+         close(s);
+@@ -484,7 +487,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl
+ 
+         if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error;
+         if (anetSetReuseAddr(err,s) == ANET_ERR) goto error;
+-        if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR;
+        if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR;
+         goto end;
+     }
+     if (p == NULL) {
+@@ -521,10 +524,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog)
+     memset(&sa,0,sizeof(sa));
+     sa.sun_family = AF_LOCAL;
+     strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1);
+-    if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR)
+    if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR)
+         return ANET_ERR;
+-    if (perm)
+-        chmod(sa.sun_path, perm);
+     return s;
+ }
+ 
+-- 
+2.33.0
+
--- a/CVE-2024-31228.patch
+++ b/CVE-2024-31228.patch
@ -0,0 +1,63 @@
+From c8649f8e852d1dc388b5446e003bb0eefa33d61f Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 20:11:01 +0300
+Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228)
+
+---
+ src/util.c              | 9 ++++++---
+ tests/unit/keyspace.tcl | 6 ++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index 861ef67..0f5e8e1 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -45,8 +45,11 @@
+ 
+ /* Glob-style pattern matching. */
+ static int stringmatchlen_impl(const char *pattern, int patternLen,
+-        const char *string, int stringLen, int nocase, int *skipLongerMatches)
+        const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting)
+ {
+    /* Protection against abusive patterns. */
+    if (nesting > 1000) return 0;
+
+     while(patternLen && stringLen) {
+         switch(pattern[0]) {
+         case '*':
+@@ -58,7 +61,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+                 return 1; /* match */
+             while(stringLen) {
+                if (stringmatchlen_impl(pattern+1, patternLen-1,
+-                            string, stringLen, nocase, skipLongerMatches))
+                            string, stringLen, nocase, skipLongerMatches, nesting+1))
+                     return 1; /* match */
+                if (*skipLongerMatches)
+                     return 0; /* no match */
+@@ -181,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+ int stringmatchlen(const char *pattern, int patternLen,
+         const char *string, int stringLen, int nocase) {
+     int skipLongerMatches = 0;
+-    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
+    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
+ }
+ 
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index 1617ac5..2217b29 100644
+--- a/tests/unit/keyspace.tcl
+++ b/tests/unit/keyspace.tcl
+@@ -278,4 +278,10 @@ start_server {tags {"keyspace"}} {
+         r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
+         r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
+     } {}
+
+    test {Regression for pattern matching very long nested loops} {
+        r flushdb
+        r SET [string repeat "a" 50000] 1
+        r KEYS [string repeat "*?" 50000]
+    } {}
+ }
+-- 
+2.33.0
+
--- a/CVE-2024-31449.patch
+++ b/CVE-2024-31449.patch
@ -0,0 +1,43 @@
+From fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 19:54:06 +0300
+Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449)
+
+INT_MIN value must be explicitly checked, and cannot be negated.
+---
+ deps/lua/src/lua_bit.c   | 1 +
+ tests/unit/scripting.tcl | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
+index 690df7d..a459ca9 100644
+--- a/deps/lua/src/lua_bit.c
+++ b/deps/lua/src/lua_bit.c
+@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L)
+   const char *hexdigits = "0123456789abcdef";
+   char buf[8];
+   int i;
+  if (n == INT32_MIN) n = INT32_MIN+1;
+   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
+   if (n > 8) n = 8;
+   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index d747fa6..a7e1e9e 100644
+--- a/tests/unit/scripting.tcl
+++ b/tests/unit/scripting.tcl
+@@ -459,6 +459,12 @@ start_server {tags {"scripting"}} {
+         set e
+     } {*ERR*attempted to create global*}
+ 
+    test {lua bit.tohex bug} {
+        set res [run_script {return bit.tohex(65535, -2147483648)} 0]
+        r ping
+        set res
+    } {0000FFFF}
+
+     test {Test an example script DECR_IF_GT} {
+         set decr_if_gt {
+             local current
+-- 
+2.33.0
+
--- a/redis.spec
+++ b/redis.spec
@ -1,6 +1,6 @@
 Name:           redis
 Version:        4.0.14
-Release:        6
+Release:        7
 Summary:        A persistent key-value database
 License:        BSD-3-Clause and MIT
 URL:            https://redis.io
@ -22,6 +22,9 @@ Patch0010:      CVE-2021-32672.patch
 Patch0011:      CVE-2022-36021.patch
 Patch0012:      CVE-2023-28856.patch
 Patch0013:      CVE-2022-24834.patch
+Patch0014:      CVE-2023-45145.patch
+Patch0015:      CVE-2024-31228.patch
+Patch0016:      CVE-2024-31449.patch

 BuildRequires:     systemd gcc
 Requires:          /bin/awk
@ -52,6 +55,9 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
 %patch0011 -p1
 %patch0012 -p1
 %patch0013 -p1
+%patch0014 -p1
+%patch0015 -p1
+%patch0016 -p1
 %ifarch loongarch64
 %_update_config_guess
 %_update_config_sub
@ -113,6 +119,9 @@ exit 0
 %{_unitdir}/%{name}-sentinel.service

 %changelog
+* Wed Oct 09 2024 yaoxin <yao_xin001@hoperun.com> - 4.0.14-7
+- Fix CVE-2023-45145,CVE-2024-31228 and CVE-2024-31449
+
 * Mon Jul 31 2023 wangkai <13474090681@163.com> - 4.0.14-6
 - Fix CVE-2022-24834