From 6f8341aa15610b445c860c525c310aecb1664e0a Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 9 Oct 2024 09:32:02 +0800 Subject: [PATCH] Fix CVE-2023-45145,CVE-2024-31228 and CVE-2024-31449 (cherry picked from commit d1707e8164155222cb5e4b464497ebf32fa62df0) --- CVE-2023-45145.patch | 66 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2024-31228.patch | 63 ++++++++++++++++++++++++++++++++++++++++++ CVE-2024-31449.patch | 43 +++++++++++++++++++++++++++++ redis.spec | 11 +++++++- 4 files changed, 182 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-45145.patch create mode 100644 CVE-2024-31228.patch create mode 100644 CVE-2024-31449.patch diff --git a/CVE-2023-45145.patch b/CVE-2023-45145.patch new file mode 100644 index 0000000..96e4b17 --- /dev/null +++ b/CVE-2023-45145.patch @@ -0,0 +1,66 @@ +From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001 +From: Yossi Gottlieb +Date: Wed, 11 Oct 2023 22:45:34 +0300 +Subject: [PATCH] Fix issue of listen before chmod on Unix sockets + (CVE-2023-45145) + +Before this commit, Unix socket setup performed chmod(2) on the socket +file after calling listen(2). Depending on what umask is used, this +could leave the file with the wrong permissions for a short period of +time. As a result, another process could exploit this race condition and +establish a connection that would otherwise not be possible. + +We now make sure the socket permissions are set up prior to calling +listen(2). + +(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42) +--- + src/anet.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/anet.c b/src/anet.c +index dc88eb7..d0db80f 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -437,13 +437,16 @@ int anetWrite(int fd, char *buf, int count) + return totlen; + } + +-static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) { ++static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) { + if (bind(s,sa,len) == -1) { + anetSetError(err, "bind: %s", strerror(errno)); + close(s); + return ANET_ERR; + } + ++ if (sa->sa_family == AF_LOCAL && perm) ++ chmod(((struct sockaddr_un *) sa)->sun_path, perm); ++ + if (listen(s, backlog) == -1) { + anetSetError(err, "listen: %s", strerror(errno)); + close(s); +@@ -484,7 +487,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl + + if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error; + if (anetSetReuseAddr(err,s) == ANET_ERR) goto error; +- if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR; ++ if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR; + goto end; + } + if (p == NULL) { +@@ -521,10 +524,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog) + memset(&sa,0,sizeof(sa)); + sa.sun_family = AF_LOCAL; + strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1); +- if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR) ++ if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR) + return ANET_ERR; +- if (perm) +- chmod(sa.sun_path, perm); + return s; + } + +-- +2.33.0 + diff --git a/CVE-2024-31228.patch b/CVE-2024-31228.patch new file mode 100644 index 0000000..eae6831 --- /dev/null +++ b/CVE-2024-31228.patch @@ -0,0 +1,63 @@ +From c8649f8e852d1dc388b5446e003bb0eefa33d61f Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Wed, 2 Oct 2024 20:11:01 +0300 +Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228) + +--- + src/util.c | 9 ++++++--- + tests/unit/keyspace.tcl | 6 ++++++ + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/util.c b/src/util.c +index 861ef67..0f5e8e1 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -45,8 +45,11 @@ + + /* Glob-style pattern matching. */ + static int stringmatchlen_impl(const char *pattern, int patternLen, +- const char *string, int stringLen, int nocase, int *skipLongerMatches) ++ const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting) + { ++ /* Protection against abusive patterns. */ ++ if (nesting > 1000) return 0; ++ + while(patternLen && stringLen) { + switch(pattern[0]) { + case '*': +@@ -58,7 +61,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, + return 1; /* match */ + while(stringLen) { + if (stringmatchlen_impl(pattern+1, patternLen-1, +- string, stringLen, nocase, skipLongerMatches)) ++ string, stringLen, nocase, skipLongerMatches, nesting+1)) + return 1; /* match */ + if (*skipLongerMatches) + return 0; /* no match */ +@@ -181,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, + int stringmatchlen(const char *pattern, int patternLen, + const char *string, int stringLen, int nocase) { + int skipLongerMatches = 0; +- return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches); ++ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0); + } + + int stringmatch(const char *pattern, const char *string, int nocase) { +diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl +index 1617ac5..2217b29 100644 +--- a/tests/unit/keyspace.tcl ++++ b/tests/unit/keyspace.tcl +@@ -278,4 +278,10 @@ start_server {tags {"keyspace"}} { + r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1 + r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b" + } {} ++ ++ test {Regression for pattern matching very long nested loops} { ++ r flushdb ++ r SET [string repeat "a" 50000] 1 ++ r KEYS [string repeat "*?" 50000] ++ } {} + } +-- +2.33.0 + diff --git a/CVE-2024-31449.patch b/CVE-2024-31449.patch new file mode 100644 index 0000000..4fde3b7 --- /dev/null +++ b/CVE-2024-31449.patch @@ -0,0 +1,43 @@ +From fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Wed, 2 Oct 2024 19:54:06 +0300 +Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449) + +INT_MIN value must be explicitly checked, and cannot be negated. +--- + deps/lua/src/lua_bit.c | 1 + + tests/unit/scripting.tcl | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c +index 690df7d..a459ca9 100644 +--- a/deps/lua/src/lua_bit.c ++++ b/deps/lua/src/lua_bit.c +@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L) + const char *hexdigits = "0123456789abcdef"; + char buf[8]; + int i; ++ if (n == INT32_MIN) n = INT32_MIN+1; + if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; } + if (n > 8) n = 8; + for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; } +diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl +index d747fa6..a7e1e9e 100644 +--- a/tests/unit/scripting.tcl ++++ b/tests/unit/scripting.tcl +@@ -459,6 +459,12 @@ start_server {tags {"scripting"}} { + set e + } {*ERR*attempted to create global*} + ++ test {lua bit.tohex bug} { ++ set res [run_script {return bit.tohex(65535, -2147483648)} 0] ++ r ping ++ set res ++ } {0000FFFF} ++ + test {Test an example script DECR_IF_GT} { + set decr_if_gt { + local current +-- +2.33.0 + diff --git a/redis.spec b/redis.spec index 3050066..be46286 100644 --- a/redis.spec +++ b/redis.spec @@ -1,6 +1,6 @@ Name: redis Version: 4.0.14 -Release: 6 +Release: 7 Summary: A persistent key-value database License: BSD-3-Clause and MIT URL: https://redis.io @@ -22,6 +22,9 @@ Patch0010: CVE-2021-32672.patch Patch0011: CVE-2022-36021.patch Patch0012: CVE-2023-28856.patch Patch0013: CVE-2022-24834.patch +Patch0014: CVE-2023-45145.patch +Patch0015: CVE-2024-31228.patch +Patch0016: CVE-2024-31449.patch BuildRequires: systemd gcc Requires: /bin/awk @@ -52,6 +55,9 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s %patch0011 -p1 %patch0012 -p1 %patch0013 -p1 +%patch0014 -p1 +%patch0015 -p1 +%patch0016 -p1 %ifarch loongarch64 %_update_config_guess %_update_config_sub @@ -113,6 +119,9 @@ exit 0 %{_unitdir}/%{name}-sentinel.service %changelog +* Wed Oct 09 2024 yaoxin - 4.0.14-7 +- Fix CVE-2023-45145,CVE-2024-31228 and CVE-2024-31449 + * Mon Jul 31 2023 wangkai <13474090681@163.com> - 4.0.14-6 - Fix CVE-2022-24834