This upgrade contains a list of vunerability fixes: CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-32023, CVE-2025-48367, CVE-2025-21605, CVE-2024-46981, CVE-2024-31449, CVE-2024-31228, CVE-2023-45145, CVE-2022-24834
Dropped the CVE patches that are included above. Release notes: https://github.com/redis/redis/blob/6.2.21/00-RELEASENOTES Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../redis/redis/CVE-2023-45145.patch | 72 ------------------- .../redis/redis/CVE-2024-31228.patch | 68 ------------------ .../redis/redis/CVE-2024-31449.patch | 49 ------------- .../redis/redis/CVE-2024-46981.patch | 39 ---------- .../{redis_6.2.12.bb => redis_6.2.21.bb} | 6 +- 5 files changed, 1 insertion(+), 233 deletions(-) delete mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch delete mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch delete mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch delete mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch rename meta-oe/recipes-extended/redis/{redis_6.2.12.bb => redis_6.2.21.bb} (90%) diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch b/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch deleted file mode 100644 index f132deb83a..0000000000 --- a/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001 -From: Yossi Gottlieb <[email protected]> -Date: Wed, 11 Oct 2023 22:45:34 +0300 -Subject: [PATCH] Fix issue of listen before chmod on Unix sockets - (CVE-2023-45145) - -Before this commit, Unix socket setup performed chmod(2) on the socket -file after calling listen(2). Depending on what umask is used, this -could leave the file with the wrong permissions for a short period of -time. As a result, another process could exploit this race condition and -establish a connection that would otherwise not be possible. - -We now make sure the socket permissions are set up prior to calling -listen(2). - -(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42) - -CVE: CVE-2023-45145 - -Upstream-Status: Backport [https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc] - -Signed-off-by: Divya Chellam <[email protected]> ---- - src/anet.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/src/anet.c b/src/anet.c -index a121c27..91f6171 100644 ---- a/src/anet.c -+++ b/src/anet.c -@@ -397,13 +397,16 @@ int anetUnixGenericConnect(char *err, const char *path, int flags) - return s; - } - --static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) { -+static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) { - if (bind(s,sa,len) == -1) { - anetSetError(err, "bind: %s", strerror(errno)); - close(s); - return ANET_ERR; - } - -+ if (sa->sa_family == AF_LOCAL && perm) -+ chmod(((struct sockaddr_un *) sa)->sun_path, perm); -+ - if (listen(s, backlog) == -1) { - anetSetError(err, "listen: %s", strerror(errno)); - close(s); -@@ -447,7 +450,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl - - if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error; - if (anetSetReuseAddr(err,s) == ANET_ERR) goto error; -- if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR; -+ if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR; - goto end; - } - if (p == NULL) { -@@ -484,10 +487,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog) - memset(&sa,0,sizeof(sa)); - sa.sun_family = AF_LOCAL; - strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1); -- if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR) -+ if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR) - return ANET_ERR; -- if (perm) -- chmod(sa.sun_path, perm); - return s; - } - --- -2.40.0 - diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch deleted file mode 100644 index d86e6c9e72..0000000000 --- a/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 9317bf64659b33166a943ec03d5d9b954e86afb0 Mon Sep 17 00:00:00 2001 -From: Oran Agra <[email protected]> -Date: Wed, 2 Oct 2024 20:11:01 +0300 -Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228) - -CVE: CVE-2024-31228 - -Upstream-Status: Backport[https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0] - -Signed-off-by: Divya Chellam <[email protected]> ---- - src/util.c | 9 ++++++--- - tests/unit/keyspace.tcl | 6 ++++++ - 2 files changed, 12 insertions(+), 3 deletions(-) - -diff --git a/src/util.c b/src/util.c -index e122a26..5763a2b 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -46,8 +46,11 @@ - - /* Glob-style pattern matching. */ - static int stringmatchlen_impl(const char *pattern, int patternLen, -- const char *string, int stringLen, int nocase, int *skipLongerMatches) -+ const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting) - { -+ /* Protection against abusive patterns. */ -+ if (nesting > 1000) return 0; -+ - while(patternLen && stringLen) { - switch(pattern[0]) { - case '*': -@@ -59,7 +62,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, - return 1; /* match */ - while(stringLen) { - if (stringmatchlen_impl(pattern+1, patternLen-1, -- string, stringLen, nocase, skipLongerMatches)) -+ string, stringLen, nocase, skipLongerMatches, nesting+1)) - return 1; /* match */ - if (*skipLongerMatches) - return 0; /* no match */ -@@ -181,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, - int stringmatchlen(const char *pattern, int patternLen, - const char *string, int stringLen, int nocase) { - int skipLongerMatches = 0; -- return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches); -+ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0); - } - - int stringmatch(const char *pattern, const char *string, int nocase) { -diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl -index 92029a7..70bc252 100644 ---- a/tests/unit/keyspace.tcl -+++ b/tests/unit/keyspace.tcl -@@ -485,4 +485,10 @@ start_server {tags {"keyspace"}} { - r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1 - r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b" - } {} -+ -+ test {Regression for pattern matching very long nested loops} { -+ r flushdb -+ r SET [string repeat "a" 50000] 1 -+ r KEYS [string repeat "*?" 50000] -+ } {} - } --- -2.40.0 - diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch deleted file mode 100644 index 5004cd5ab6..0000000000 --- a/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 Mon Sep 17 00:00:00 2001 -From: Oran Agra <[email protected]> -Date: Wed, 2 Oct 2024 19:54:06 +0300 -Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449) - -INT_MIN value must be explicitly checked, and cannot be negated. - -CVE: CVE-2024-31449 - -Upstream-Status: Backport [https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9] - -Signed-off-by: Divya Chellam <[email protected]> ---- - deps/lua/src/lua_bit.c | 1 + - tests/unit/scripting.tcl | 6 ++++++ - 2 files changed, 7 insertions(+) - -diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c -index 690df7d..a459ca9 100644 ---- a/deps/lua/src/lua_bit.c -+++ b/deps/lua/src/lua_bit.c -@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L) - const char *hexdigits = "0123456789abcdef"; - char buf[8]; - int i; -+ if (n == INT32_MIN) n = INT32_MIN+1; - if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; } - if (n > 8) n = 8; - for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; } -diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl -index 9f5ee77..5e2a7f8 100644 ---- a/tests/unit/scripting.tcl -+++ b/tests/unit/scripting.tcl -@@ -406,6 +406,12 @@ start_server {tags {"scripting"}} { - set e - } {ERR*Attempt to modify a readonly table*} - -+ test {lua bit.tohex bug} { -+ set res [r eval {return bit.tohex(65535, -2147483648)} 0] -+ r ping -+ set res -+ } {0000FFFF} -+ - test {Test an example script DECR_IF_GT} { - set decr_if_gt { - local current --- -2.40.0 - diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch deleted file mode 100644 index c02dd21271..0000000000 --- a/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e344b2b5879aa52870e6838212dfb78b7968fcbf Mon Sep 17 00:00:00 2001 -From: YaacovHazan <[email protected]> -Date: Sun, 15 Dec 2024 21:33:11 +0200 -Subject: [PATCH] Fix LUA garbage collector (CVE-2024-46981) - -Reset GC state before closing the lua VM to prevent user data -to be wrongly freed while still might be used on destructor callbacks. - -Conflicts: -Since luaCtx lctx structure introduced in later versions [1] -used already existed redisServer server structure. - -Reference: -[1] https://github.com/redis/redis/commit/e0cd580aefe13e49df802fec5135e4f22d46e758 - -CVE: CVE-2024-46981 - -Upstream-Status: Backport [https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf] - -Signed-off-by: Divya Chellam <[email protected]> ---- - src/scripting.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/scripting.c b/src/scripting.c -index 9b926e8..656d4dd 100644 ---- a/src/scripting.c -+++ b/src/scripting.c -@@ -1467,6 +1467,7 @@ void scriptingRelease(int async) { - else - dictRelease(server.lua_scripts); - server.lua_scripts_mem = 0; -+ lua_gc(server.lua, LUA_GCCOLLECT, 0); - lua_close(server.lua); - } - --- -2.40.0 - diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.21.bb similarity index 90% rename from meta-oe/recipes-extended/redis/redis_6.2.12.bb rename to meta-oe/recipes-extended/redis/redis_6.2.21.bb index 5de97c5e77..e81984c081 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.21.bb @@ -16,12 +16,8 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0001-src-Do-not-reset-FINAL_LIBS.patch \ file://GNU_SOURCE.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ - file://CVE-2023-45145.patch \ - file://CVE-2024-31228.patch \ - file://CVE-2024-31449.patch \ - file://CVE-2024-46981.patch \ " -SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b" +SRC_URI[sha256sum] = "6383b32ba8d246f41bbbb83663381f5a5f4c4713235433cec22fc4a47e9b6d5f" inherit autotools-brokensep update-rc.d systemd useradd
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121994): https://lists.openembedded.org/g/openembedded-devel/message/121994 Mute This Topic: https://lists.openembedded.org/mt/116438164/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
