Fix CVE-2023-28856

2023-05-15 10:52:22 +08:00 · 2023-05-15 10:52:22 +08:00 · 5c6d9241e5
commit 5c6d9241e5
parent 7bcca38888
2 changed files with 56 additions and 2 deletions
--- a/CVE-2023-28856.patch
+++ b/CVE-2023-28856.patch
@ -0,0 +1,49 @@
+From c924ac3fdf8fe544891dc66c88018e259ee4be87 Mon Sep 17 00:00:00 2001
+From: chendianqiang <c.d_q@163.com>
+Date: Sun, 28 Aug 2022 16:33:41 +0800
+Subject: [PATCH] fix hincrbyfloat not to create a key if the new value is
+ invalid (#11149)
+
+Check the validity of the value before performing the create operation,
+prevents new data from being generated even if the request fails to execute.
+
+Co-authored-by: Oran Agra <oran@redislabs.com>
+Co-authored-by: chendianqiang <chendianqiang@meituan.com>
+Co-authored-by: Binbin <binloveplay1314@qq.com>
+(cherry picked from commit bc7fe41e5857a0854d524e2a63a028e9394d2a5c)
+(cherry picked from commit 606a385935363ea46c0df4f40f8a949d85f7a20a)
+(cherry picked from commit 7df23a5f51488ce002411c9d24b38520ad67b764)
+---
+ src/t_hash.c             | 4 ++++
+ tests/unit/type/hash.tcl | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/src/t_hash.c b/src/t_hash.c
+index 3cdfdd169abf..13e65502f145 100644
+--- a/src/t_hash.c
+++ b/src/t_hash.c
+@@ -605,6 +605,10 @@ void hincrbyfloatCommand(client *c) {
+     unsigned int vlen;
+ 
+     if (getLongDoubleFromObjectOrReply(c,c->argv[3],&incr,NULL) != C_OK) return;
+    if (isnan(incr) || isinf(incr)) {
+        addReplyError(c,"value is NaN or Infinity");
+        return;
+    }
+     if ((o = hashTypeLookupWriteOrCreate(c,c->argv[1])) == NULL) return;
+     if (hashTypeGetValue(o,c->argv[2]->ptr,&vstr,&vlen,&ll) == C_OK) {
+         if (vstr) {
+diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl
+index 9f8a21b1ce11..931662989d82 100644
+--- a/tests/unit/type/hash.tcl
+++ b/tests/unit/type/hash.tcl
+@@ -540,4 +540,9 @@ start_server {tags {"hash"}} {
+             assert {[r hincrbyfloat myhash float -0.1] eq {1.9}}
+         }
+     }
+
+    test {HINCRBYFLOAT does not allow NaN or Infinity} {
+        assert_error "*value is NaN or Infinity*" {r hincrbyfloat hfoo field +inf}
+        assert_equal 0 [r exists hfoo]
+    }
+ }
--- a/redis.spec
+++ b/redis.spec
@ -1,6 +1,6 @@
 Name:           redis
 Version:        4.0.14
-Release:        3
+Release:        4
 Summary:        A persistent key-value database
 License:        BSD and MIT
 URL:            https://redis.io
@ -21,6 +21,7 @@ Patch0009:      CVE-2021-29478.patch
 Patch0010:      CVE-2021-32672.patch
 Patch0011:      redis-4.0.14-sw.patch
 Patch0012:      CVE-2022-36021.patch
+Patch0013:      CVE-2023-28856.patch

 BuildRequires:     systemd gcc
 Requires:          /bin/awk
@ -52,6 +53,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
 %patch0011 -p1
 %endif
 %patch0012 -p1
+%patch0013 -p1

 sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf
 sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf
@ -109,8 +111,11 @@ exit 0
 %{_unitdir}/%{name}-sentinel.service

 %changelog
+* Mon May 15 2023 yaoxin <yao_xin001@hoperun.com> - 4.0.14-4
+- Fix CVE-2023-28856
+
 * Mon Mar 27 2023 wushaozheng<wushaozheng@ncti-gba.cn> - 4.0.14-3
- Fix CVE-2022-36021.patch
+- Fix CVE-2022-36021

 * Wed Oct 26 2022 wuzx<wuzx1226@qq.com> - 4.0.14-2
 - Add sw64 architecture