Control: tags 1106824 + patch Control: tags 1106824 + pending
Dear maintainer, I've prepared an NMU for valkey (versioned as 8.1.1+dfsg1-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. There is a MR prepared as well on the packaging repo as per https://salsa.debian.org/debian/valkey/-/merge_requests/8 Regards, Salvatore
diffstat for valkey-8.1.1+dfsg1 valkey-8.1.1+dfsg1 changelog | 8 ++ patches/0005-Incorporate-Redis-CVE-for-CVE-2025-27151-2146.patch | 39 ++++++++++ patches/series | 1 3 files changed, 48 insertions(+) diff -Nru valkey-8.1.1+dfsg1/debian/changelog valkey-8.1.1+dfsg1/debian/changelog --- valkey-8.1.1+dfsg1/debian/changelog 2025-04-28 20:49:27.000000000 +0200 +++ valkey-8.1.1+dfsg1/debian/changelog 2025-06-09 10:47:39.000000000 +0200 @@ -1,3 +1,11 @@ +valkey (8.1.1+dfsg1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Check length of AOF file name in valkey-check-aof (CVE-2025-27151) + (Closes: #1106824) + + -- Salvatore Bonaccorso <[email protected]> Mon, 09 Jun 2025 10:47:39 +0200 + valkey (8.1.1+dfsg1-1) unstable; urgency=medium * New upstream release. diff -Nru valkey-8.1.1+dfsg1/debian/patches/0005-Incorporate-Redis-CVE-for-CVE-2025-27151-2146.patch valkey-8.1.1+dfsg1/debian/patches/0005-Incorporate-Redis-CVE-for-CVE-2025-27151-2146.patch --- valkey-8.1.1+dfsg1/debian/patches/0005-Incorporate-Redis-CVE-for-CVE-2025-27151-2146.patch 1970-01-01 01:00:00.000000000 +0100 +++ valkey-8.1.1+dfsg1/debian/patches/0005-Incorporate-Redis-CVE-for-CVE-2025-27151-2146.patch 2025-06-09 10:47:39.000000000 +0200 @@ -0,0 +1,39 @@ +From: Madelyn Olson <[email protected]> +Date: Thu, 29 May 2025 00:06:23 +0100 +Subject: Incorporate Redis CVE for CVE-2025-27151 (#2146) +Origin: https://github.com/valkey-io/valkey/commit/73696bf6e2cf754acc3ec24eaf9ca6b879bfc5d7 +Bug-Debian: https://bugs.debian.org/1106824 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27151 + +Resolves https://github.com/valkey-io/valkey/issues/2145 + +Incorporate the CVE patch that was sent to us by Redis Ltd. + +--------- + +Signed-off-by: Madelyn Olson <[email protected]> +Co-authored-by: Ping Xie <[email protected]> +--- + src/valkey-check-aof.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/valkey-check-aof.c b/src/valkey-check-aof.c +index ed0eb2b49d12..a6e4b97c6d7a 100644 +--- a/src/valkey-check-aof.c ++++ b/src/valkey-check-aof.c +@@ -556,6 +556,12 @@ int redis_check_aof_main(int argc, char **argv) { + goto invalid_args; + } + ++ /* Check if filepath is longer than PATH_MAX */ ++ if (strnlen(filepath, PATH_MAX + 1) > PATH_MAX) { ++ printf("Error: filepath is too long (exceeds PATH_MAX)\n"); ++ goto invalid_args; ++ } ++ + /* In the glibc implementation dirname may modify their argument. */ + memcpy(temp_filepath, filepath, strlen(filepath) + 1); + dirpath = dirname(temp_filepath); +-- +2.49.0 + diff -Nru valkey-8.1.1+dfsg1/debian/patches/series valkey-8.1.1+dfsg1/debian/patches/series --- valkey-8.1.1+dfsg1/debian/patches/series 2025-04-28 20:47:54.000000000 +0200 +++ valkey-8.1.1+dfsg1/debian/patches/series 2025-06-09 10:47:39.000000000 +0200 @@ -3,3 +3,4 @@ 0002-Add-CPPFLAGS-to-upstream-makefiles.patch 0003-Use-get_current_dir_name-over-PATHMAX.patch 0004-Add-support-for-USE_SYSTEM_JEMALLOC-flag.patch +0005-Incorporate-Redis-CVE-for-CVE-2025-27151-2146.patch
