[oe][meta-oe][kirkstone][PATCH 1/2] redis: fix CVE-2024-46981

Tue, 04 Feb 2025 04:26:01 -0800 

From: Divya Chellam <[email protected]>

Redis is an open source, in-memory database that persists on disk.
An authenticated user may use a specially crafted Lua script to
manipulate the garbage collector and potentially lead to remote
code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17.
An additional workaround to mitigate the problem without patching
the redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to restrict EVAL and EVALSHA
commands.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-46981

Upstream-patch:
https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf

Signed-off-by: Divya Chellam <[email protected]>
---
 .../redis/redis-7.0.13/CVE-2024-46981.patch   | 32 +++++++++++++++
 .../redis/redis/CVE-2024-46981.patch          | 39 +++++++++++++++++++
 .../recipes-extended/redis/redis_6.2.12.bb    |  1 +
 .../recipes-extended/redis/redis_7.0.13.bb    |  1 +
 4 files changed, 73 insertions(+)
 create mode 100644 
meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch
 create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch 
b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch
new file mode 100644
index 0000000000..870ef71f52
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch
@@ -0,0 +1,32 @@
+From e344b2b5879aa52870e6838212dfb78b7968fcbf Mon Sep 17 00:00:00 2001
+From: YaacovHazan <[email protected]>
+Date: Sun, 15 Dec 2024 21:33:11 +0200
+Subject: [PATCH] Fix LUA garbage collector (CVE-2024-46981) 
+
+Reset GC state before closing the lua VM to prevent user data 
+to be wrongly freed while still might be used on destructor callbacks.
+
+CVE: CVE-2024-46981
+
+Upstream-Status: Backport 
[https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf]
+
+Signed-off-by: Divya Chellam <[email protected]>
+---
+ src/eval.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/eval.c b/src/eval.c
+index 8190856..a562335 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -273,6 +273,7 @@ void scriptingRelease(int async) {
+     else
+         dictRelease(lctx.lua_scripts);
+     lctx.lua_scripts_mem = 0;
++    lua_gc(lctx.lua, LUA_GCCOLLECT, 0);
+     lua_close(lctx.lua);
+ }
+ 
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch 
b/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch
new file mode 100644
index 0000000000..c02dd21271
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch
@@ -0,0 +1,39 @@
+From e344b2b5879aa52870e6838212dfb78b7968fcbf Mon Sep 17 00:00:00 2001
+From: YaacovHazan <[email protected]>
+Date: Sun, 15 Dec 2024 21:33:11 +0200
+Subject: [PATCH] Fix LUA garbage collector (CVE-2024-46981)
+
+Reset GC state before closing the lua VM to prevent user data
+to be wrongly freed while still might be used on destructor callbacks.
+
+Conflicts:
+Since luaCtx lctx structure  introduced in later versions [1]
+used already existed redisServer server structure.
+
+Reference:
+[1] 
https://github.com/redis/redis/commit/e0cd580aefe13e49df802fec5135e4f22d46e758
+
+CVE: CVE-2024-46981
+
+Upstream-Status: Backport 
[https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf]
+
+Signed-off-by: Divya Chellam <[email protected]>
+---
+ src/scripting.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/scripting.c b/src/scripting.c
+index 9b926e8..656d4dd 100644
+--- a/src/scripting.c
++++ b/src/scripting.c
+@@ -1467,6 +1467,7 @@ void scriptingRelease(int async) {
+     else
+         dictRelease(server.lua_scripts);
+     server.lua_scripts_mem = 0;
++    lua_gc(server.lua, LUA_GCCOLLECT, 0);
+     lua_close(server.lua);
+ }
+ 
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb 
b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
index a13dfdbe45..0fdd3da327 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2023-45145.patch \
            file://CVE-2024-31228.patch \
            file://CVE-2024-31449.patch \
+           file://CVE-2024-46981.patch \
            "
 SRC_URI[sha256sum] = 
"75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
 
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb 
b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index fa1716a192..3535da9664 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2024-31227.patch \
            file://CVE-2024-31228.patch \
            file://CVE-2024-31449.patch \
+           file://CVE-2024-46981.patch \
            "
 SRC_URI[sha256sum] = 
"97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#115270): 
https://lists.openembedded.org/g/openembedded-devel/message/115270
Mute This Topic: https://lists.openembedded.org/mt/110990531/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to