packages/redis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2021-29478

Browse Source
This commit is contained in:
wang_yue111 2021-06-08 10:40:20 +08:00
parent 90470ed993
commit 80c4de130f
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CVE-2021-29478.patch Normal file
View File

@ -0,0 +1,35 @@
From ef78ba0a7793a0b6be026ec77ef3c7e919efa08a Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Mon, 3 May 2021 08:27:22 +0300
Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478)
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
potentially result with remote code execution.
The vulnerability involves changing the default set-max-intset-entries
configuration value, creating a large set key that consists of integer values
and using the COPY command to duplicate it.
The integer overflow bug exists in all versions of Redis starting with 2.6,
where it could result with a corrupted RDB or DUMP payload, but not exploited
through COPY (which did not exist before 6.2).
---
src/intset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/intset.c b/src/intset.c
index 198c90a..8d35536 100644
--- a/src/intset.c
+++ b/src/intset.c
@@ -278,7 +278,7 @@ uint32_t intsetLen(const intset *is) {
/* Return intset blob size in bytes. */
size_t intsetBlobLen(intset *is) {
- return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
+ return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
}
#ifdef REDIS_TEST
--
2.23.0

8
redis.spec
View File

@ -1,6 +1,6 @@
Name: redis Name: redis
Version: 4.0.11 Version: 4.0.11
Release: 16 Release: 17
Summary: A persistent key-value database Summary: A persistent key-value database
License: BSD and MIT License: BSD and MIT
URL: https://redis.io URL: https://redis.io
@ -21,6 +21,8 @@ Patch0007: modify-aarch64-architecture-jemalloc-page-size-from-4k-to-64k.pa
Patch0008: huawei-deps-jemalloc-support-riscv.patch Patch0008: huawei-deps-jemalloc-support-riscv.patch
Patch0009: CVE-2021-21309.patch Patch0009: CVE-2021-21309.patch
Patch0010: CVE-2021-3470.patch Patch0010: CVE-2021-3470.patch
Patch0011: CVE-2021-29478.patch
BuildRequires: systemd gcc BuildRequires: systemd gcc
Requires: /bin/awk Requires: /bin/awk
Requires: logrotate Requires: logrotate
@ -47,6 +49,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
%patch0008 -p1 %patch0008 -p1
%patch0009 -p1 %patch0009 -p1
%patch0010 -p1 %patch0010 -p1
%patch0011 -p1
sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf
sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf
@ -104,6 +107,9 @@ exit 0
%{_unitdir}/%{name}-sentinel.service %{_unitdir}/%{name}-sentinel.service
%changelog %changelog
* Tue Jun 08 2021 wangyue <wangyue92@huawei.com> - 4.0.11-17
- Fix CVE-2021-29478
* Mon May 31 2021 huanghaitao <huanghaitao8@huawei.com> - 4.0.11-16 * Mon May 31 2021 huanghaitao <huanghaitao8@huawei.com> - 4.0.11-16
- Completing build dependencies to fix gcc compiler missing error - Completing build dependencies to fix gcc compiler missing error