!13 fix CVE-2020-14147

Merge pull request !13 from wangxiao65/master
2020-07-20 19:45:46 +08:00 · 2020-07-20 19:45:46 +08:00 · d166540b6d
commit d166540b6d
parent 3f6ef4bf25 cd983b5707
2 changed files with 55 additions and 1 deletions
--- a/CVE-2020-14147.patch
+++ b/CVE-2020-14147.patch
@ -0,0 +1,50 @@
+From ef764dde1cca2f25d00686673d1bc89448819571 Mon Sep 17 00:00:00 2001
+From: Seunghoon Woo <toad58@nate.com>
+Date: Mon, 10 Feb 2020 16:32:46 +0900
+Subject: [PATCH] [FIX] revisit CVE-2015-8080 vulnerability
+
+---
+ deps/lua/src/lua_struct.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/deps/lua/src/lua_struct.c b/deps/lua/src/lua_struct.c
+index 4d5f027b85c..c58c8e72b08 100644
+--- a/deps/lua/src/lua_struct.c
+++ b/deps/lua/src/lua_struct.c
+@@ -89,12 +89,14 @@ typedef struct Header {
+ } Header;
+ 
+ 
+-static int getnum (const char **fmt, int df) {
+static int getnum (lua_State *L, const char **fmt, int df) {
+   if (!isdigit(**fmt))  /* no number? */
+     return df;  /* return default value */
+   else {
+     int a = 0;
+     do {
+      if (a > (INT_MAX / 10) || a * 10 > (INT_MAX - (**fmt - '0')))
+        luaL_error(L, "integral size overflow");
+       a = a*10 + *((*fmt)++) - '0';
+     } while (isdigit(**fmt));
+     return a;
+@@ -115,9 +117,9 @@ static size_t optsize (lua_State *L, char opt, const char **fmt) {
+     case 'f':  return sizeof(float);
+     case 'd':  return sizeof(double);
+     case 'x': return 1;
+-    case 'c': return getnum(fmt, 1);
+    case 'c': return getnum(L, fmt, 1);
+     case 'i': case 'I': {
+-      int sz = getnum(fmt, sizeof(int));
+      int sz = getnum(L, fmt, sizeof(int));
+       if (sz > MAXINTSIZE)
+         luaL_error(L, "integral size %d is larger than limit of %d",
+                        sz, MAXINTSIZE);
+@@ -150,7 +152,7 @@ static void controloptions (lua_State *L, int opt, const char **fmt,
+     case '>': h->endian = BIG; return;
+     case '<': h->endian = LITTLE; return;
+     case '!': {
+-      int a = getnum(fmt, MAXALIGN);
+      int a = getnum(L, fmt, MAXALIGN);
+       if (!isp2(a))
+         luaL_error(L, "alignment %d is not a power of 2", a);
+       h->align = a;
--- a/redis.spec
+++ b/redis.spec
@ -1,6 +1,6 @@
 Name:           redis
 Version:        4.0.11
-Release:        8
+Release:        9
 Summary:        A persistent key-value database
 License:        BSD and MIT
 URL:            https://redis.io
@ -13,6 +13,7 @@ Source3:        %{name}.service
 Patch0001:      CVE-2019-10192-1.patch
 #Optimization of the above problem
 Patch0002:      CVE-2019-10192-2.patch
+Patch0003:      CVE-2020-14147.patch 

 BuildRequires:     systemd
 Requires:          /bin/awk
@ -84,6 +85,9 @@ exit 0
 %{_unitdir}/%{name}-sentinel.service

 %changelog
+* Mon Jul 20 2020 wangxiao <wangxiao654@huawei.com> - 4.0.11-9
+- fix CVE-2020-14147
+
 * Fri Jun 19 2020 Captain Wei <captain.a.wei@gmail.com> - 4.0.11-8
 - Add some dependency package in building and running phase