commit hiredis for openSUSE:Factory

Source-Sync Fri, 08 Oct 2021 13:05:53 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package hiredis for openSUSE:Factory checked 
in at 2021-10-08 22:05:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/hiredis (Old)
 and      /work/SRC/openSUSE:Factory/.hiredis.new.2443 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "hiredis"

Fri Oct  8 22:05:06 2021 rev:11 rq:924175 version:1.0.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/hiredis/hiredis.changes  2021-10-08 
00:24:38.351636527 +0200
+++ /work/SRC/openSUSE:Factory/.hiredis.new.2443/hiredis.changes        
2021-10-08 22:05:32.864609425 +0200
@@ -1,0 +2,13 @@
+Thu Oct  7 22:40:00 UTC 2021 - Paul Fee <[email protected]>
+- hiredis 1.0.2
+  * Hiredis v1.0.2 is a security release with a fix for CVE-2021-32765.
+    v1.0.1 erroneously bumped the SONAME so should be skipped.
+
+-------------------------------------------------------------------
+Wed Oct  6 20:11:38 UTC 2021 - Andreas Stieger <[email protected]>
+
+- hiredis 1.0.1:
+  * CVE-2021-32765: integer overflow if provided maliciously
+    crafted or corrupted RESP mult-bulk protocol data boo#1191331
+
+-------------------------------------------------------------------

Old:
----
  v1.0.0.tar.gz

New:
----
  v1.0.2.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ hiredis.spec ++++++
--- /var/tmp/diff_new_pack.hbgTQh/_old  2021-10-08 22:05:33.272610096 +0200
+++ /var/tmp/diff_new_pack.hbgTQh/_new  2021-10-08 22:05:33.276610103 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package hiredis
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 %global libname lib%{name}1_0_0
 Name:           hiredis
-Version:        1.0.0
+Version:        1.0.2
 Release:        0
 Summary:        Minimalistic C client for Redis
 License:        BSD-3-Clause
@@ -27,7 +27,8 @@
 Source0:        https://github.com/redis/hiredis/archive/v%{version}.tar.gz
 Patch0:         relocatable_executable.patch
 BuildRequires:  pkgconfig
-BuildRequires:  libopenssl-devel
+BuildRequires:  pkgconfig(libcrypto)
+BuildRequires:  pkgconfig(libssl)
 
 %description
 Hiredis is a minimalistic C client library for the

++++++ v1.0.0.tar.gz -> v1.0.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/hiredis-1.0.0/CHANGELOG.md 
new/hiredis-1.0.2/CHANGELOG.md
--- old/hiredis-1.0.0/CHANGELOG.md      2020-08-03 20:18:07.000000000 +0200
+++ new/hiredis-1.0.2/CHANGELOG.md      2021-10-07 19:00:14.000000000 +0200
@@ -1,3 +1,22 @@
+## [1.0.2](https://github.com/redis/hiredis/tree/v1.0.2) - (2021-10-07)
+
+Announcing Hiredis v1.0.2, which fixes CVE-2021-32765 but returns the SONAME 
to the correct value of `1.0.0`.
+
+- [Revert SONAME 
bump](https://github.com/redis/hiredis/commit/d4e6f109a064690cde64765c654e679fea1d3548)
+  ([Michael Grunder](https://github.com/michael-grunder))
+
+## [1.0.1](https://github.com/redis/hiredis/tree/v1.0.1) - (2021-10-04)
+
+<span style="color:red">This release erroneously bumped the SONAME, please use 
[1.0.2](https://github.com/redis/hiredis/tree/v1.0.2)</span>
+
+Announcing Hiredis v1.0.1, a security release fixing CVE-2021-32765
+
+- Fix for 
[CVE-2021-32765](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2)
+  
[commit](https://github.com/redis/hiredis/commit/76a7b10005c70babee357a7d0f2becf28ec7ed1e)
+  ([Yossi Gottlieb](https://github.com/yossigo))
+
+_Thanks to [Yossi Gottlieb](https://github.com/yossigo) for the security fix 
and to [Microsoft Security Vulnerability 
Research](https://www.microsoft.com/en-us/msrc/msvr) for finding the bug._ 
:sparkling_heart:
+
 ## [1.0.0](https://github.com/redis/hiredis/tree/v1.0.0) - (2020-08-03)
 
 Announcing Hiredis v1.0.0, which adds support for RESP3, SSL connections, 
allocator injection, and better Windows support! :tada:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/hiredis-1.0.0/README.md new/hiredis-1.0.2/README.md
--- old/hiredis-1.0.0/README.md 2020-08-03 20:18:07.000000000 +0200
+++ new/hiredis-1.0.2/README.md 2021-10-07 19:00:14.000000000 +0200
@@ -22,6 +22,12 @@
 The library comes with multiple APIs. There is the
 *synchronous API*, the *asynchronous API* and the *reply parsing API*.
 
+## Upgrading to `1.0.2`
+
+<span style="color:red">NOTE:  v1.0.1 erroneously bumped SONAME, which is why 
it is skipped here.</span>
+
+Version 1.0.2 is simply 1.0.0 with a fix for 
[CVE-2021-32765](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2).
  They are otherwise identical.
+
 ## Upgrading to `1.0.0`
 
 Version 1.0.0 marks the first stable release of Hiredis.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/hiredis-1.0.0/hiredis.c new/hiredis-1.0.2/hiredis.c
--- old/hiredis-1.0.0/hiredis.c 2020-08-03 20:18:07.000000000 +0200
+++ new/hiredis-1.0.2/hiredis.c 2021-10-07 19:00:14.000000000 +0200
@@ -174,6 +174,7 @@
         return NULL;
 
     if (elements > 0) {
+        if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL;  /* Don't 
overflow */
         r->element = hi_calloc(elements,sizeof(redisReply*));
         if (r->element == NULL) {
             freeReplyObject(r);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/hiredis-1.0.0/hiredis.h new/hiredis-1.0.2/hiredis.h
--- old/hiredis-1.0.0/hiredis.h 2020-08-03 20:18:07.000000000 +0200
+++ new/hiredis-1.0.2/hiredis.h 2021-10-07 19:00:14.000000000 +0200
@@ -47,7 +47,7 @@
 
 #define HIREDIS_MAJOR 1
 #define HIREDIS_MINOR 0
-#define HIREDIS_PATCH 0
+#define HIREDIS_PATCH 2
 #define HIREDIS_SONAME 1.0.0
 
 /* Connection type can be blocking or non-blocking and is set in the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/hiredis-1.0.0/test.c new/hiredis-1.0.2/test.c
--- old/hiredis-1.0.0/test.c    2020-08-03 20:18:07.000000000 +0200
+++ new/hiredis-1.0.2/test.c    2021-10-07 19:00:14.000000000 +0200
@@ -493,6 +493,20 @@
     freeReplyObject(reply);
     redisReaderFree(reader);
 
+    test("Multi-bulk never overflows regardless of maxelements: ");
+    size_t bad_mbulk_len = (SIZE_MAX / sizeof(void *)) + 3;
+    char bad_mbulk_reply[100];
+    snprintf(bad_mbulk_reply, sizeof(bad_mbulk_reply), "*%llu\r\n+asdf\r\n",
+        (unsigned long long) bad_mbulk_len);
+
+    reader = redisReaderCreate();
+    reader->maxelements = 0;    /* Don't rely on default limit */
+    redisReaderFeed(reader, bad_mbulk_reply, strlen(bad_mbulk_reply));
+    ret = redisReaderGetReply(reader,&reply);
+    test_cond(ret == REDIS_ERR && strcasecmp(reader->errstr, "Out of memory") 
== 0);
+    freeReplyObject(reply);
+    redisReaderFree(reader);
+
 #if LLONG_MAX > SIZE_MAX
     test("Set error when array > SIZE_MAX: ");
     reader = redisReaderCreate();

commit hiredis for openSUSE:Factory

Reply via email to