Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package hiredis for openSUSE:Factory checked in at 2021-10-08 00:06:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/hiredis (Old) and /work/SRC/openSUSE:Factory/.hiredis.new.2443 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "hiredis" Fri Oct 8 00:06:04 2021 rev:9 rq:923651 version:1.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/hiredis/hiredis.changes 2020-10-08 13:14:37.679305184 +0200 +++ /work/SRC/openSUSE:Factory/.hiredis.new.2443/hiredis.changes 2021-10-08 00:07:00.253850330 +0200 @@ -1,0 +2,7 @@ +Wed Oct 6 20:11:38 UTC 2021 - Andreas Stieger <[email protected]> + +- hiredis 1.0.1: + * CVE-2021-32765: integer overflow if provided maliciously + crafted or corrupted RESP mult-bulk protocol data boo#1191331 + +------------------------------------------------------------------- Old: ---- v1.0.0.tar.gz New: ---- v1.0.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hiredis.spec ++++++ --- /var/tmp/diff_new_pack.STwLz9/_old 2021-10-08 00:07:00.733851143 +0200 +++ /var/tmp/diff_new_pack.STwLz9/_new 2021-10-08 00:07:00.737851150 +0200 @@ -1,7 +1,7 @@ # # spec file for package hiredis # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,9 +16,9 @@ # -%global libname lib%{name}1_0_0 +%global libname lib%{name}1_0_1 Name: hiredis -Version: 1.0.0 +Version: 1.0.1 Release: 0 Summary: Minimalistic C client for Redis License: BSD-3-Clause @@ -27,7 +27,8 @@ Source0: https://github.com/redis/hiredis/archive/v%{version}.tar.gz Patch0: relocatable_executable.patch BuildRequires: pkgconfig -BuildRequires: libopenssl-devel +BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libssl) %description Hiredis is a minimalistic C client library for the ++++++ v1.0.0.tar.gz -> v1.0.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.0/CHANGELOG.md new/hiredis-1.0.1/CHANGELOG.md --- old/hiredis-1.0.0/CHANGELOG.md 2020-08-03 20:18:07.000000000 +0200 +++ new/hiredis-1.0.1/CHANGELOG.md 2021-10-04 22:08:51.000000000 +0200 @@ -1,3 +1,13 @@ +## [1.0.1](https://github.com/redis/hiredis/tree/v1.0.1) - (2021-10-04) + +Announcing Hiredis v1.0.1, a security release fixing CVE-2021-32765 + +- Fix for [CVE-2021-32765](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2) + [commit](https://github.com/redis/hiredis/commit/76a7b10005c70babee357a7d0f2becf28ec7ed1e) + ([Yossi Gottlieb](https://github.com/yossigo)) + +_Thanks to [Yossi Gottlieb](https://github.com/yossigo) for the security fix and to [Microsoft Security Vulnerability Research](https://www.microsoft.com/en-us/msrc/msvr) for finding the bug._ :sparkling_heart: + ## [1.0.0](https://github.com/redis/hiredis/tree/v1.0.0) - (2020-08-03) Announcing Hiredis v1.0.0, which adds support for RESP3, SSL connections, allocator injection, and better Windows support! :tada: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.0/README.md new/hiredis-1.0.1/README.md --- old/hiredis-1.0.0/README.md 2020-08-03 20:18:07.000000000 +0200 +++ new/hiredis-1.0.1/README.md 2021-10-04 22:08:51.000000000 +0200 @@ -22,6 +22,10 @@ The library comes with multiple APIs. There is the *synchronous API*, the *asynchronous API* and the *reply parsing API*. +## Upgrading to `1.0.1` + +Version 1.0.1 is simply 1.0.0 with a fix for [CVE-2021-32765](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2). They are otherwise identical. + ## Upgrading to `1.0.0` Version 1.0.0 marks the first stable release of Hiredis. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.0/hiredis.c new/hiredis-1.0.1/hiredis.c --- old/hiredis-1.0.0/hiredis.c 2020-08-03 20:18:07.000000000 +0200 +++ new/hiredis-1.0.1/hiredis.c 2021-10-04 22:08:51.000000000 +0200 @@ -174,6 +174,7 @@ return NULL; if (elements > 0) { + if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL; /* Don't overflow */ r->element = hi_calloc(elements,sizeof(redisReply*)); if (r->element == NULL) { freeReplyObject(r); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.0/hiredis.h new/hiredis-1.0.1/hiredis.h --- old/hiredis-1.0.0/hiredis.h 2020-08-03 20:18:07.000000000 +0200 +++ new/hiredis-1.0.1/hiredis.h 2021-10-04 22:08:51.000000000 +0200 @@ -47,8 +47,8 @@ #define HIREDIS_MAJOR 1 #define HIREDIS_MINOR 0 -#define HIREDIS_PATCH 0 -#define HIREDIS_SONAME 1.0.0 +#define HIREDIS_PATCH 1 +#define HIREDIS_SONAME 1.0.1 /* Connection type can be blocking or non-blocking and is set in the * least significant bit of the flags field in redisContext. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.0/test.c new/hiredis-1.0.1/test.c --- old/hiredis-1.0.0/test.c 2020-08-03 20:18:07.000000000 +0200 +++ new/hiredis-1.0.1/test.c 2021-10-04 22:08:51.000000000 +0200 @@ -493,6 +493,20 @@ freeReplyObject(reply); redisReaderFree(reader); + test("Multi-bulk never overflows regardless of maxelements: "); + size_t bad_mbulk_len = (SIZE_MAX / sizeof(void *)) + 3; + char bad_mbulk_reply[100]; + snprintf(bad_mbulk_reply, sizeof(bad_mbulk_reply), "*%llu\r\n+asdf\r\n", + (unsigned long long) bad_mbulk_len); + + reader = redisReaderCreate(); + reader->maxelements = 0; /* Don't rely on default limit */ + redisReaderFeed(reader, bad_mbulk_reply, strlen(bad_mbulk_reply)); + ret = redisReaderGetReply(reader,&reply); + test_cond(ret == REDIS_ERR && strcasecmp(reader->errstr, "Out of memory") == 0); + freeReplyObject(reply); + redisReaderFree(reader); + #if LLONG_MAX > SIZE_MAX test("Set error when array > SIZE_MAX: "); reader = redisReaderCreate();
