!47 Fix CVE-2021-29478

From: @wang_yue111 Reviewed-by: @small_leek Signed-off-by: @small_leek
2021-06-08 11:13:42 +08:00 · 2021-06-08 11:13:42 +08:00 · ef45aaf84f
commit ef45aaf84f
parent 90470ed993 80c4de130f
2 changed files with 42 additions and 1 deletions
--- a/CVE-2021-29478.patch
+++ b/CVE-2021-29478.patch
@ -0,0 +1,35 @@
+From ef78ba0a7793a0b6be026ec77ef3c7e919efa08a Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Mon, 3 May 2021 08:27:22 +0300
+Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478)
+
+An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
+potentially result with remote code execution.
+
+The vulnerability involves changing the default set-max-intset-entries
+configuration value, creating a large set key that consists of integer values
+and using the COPY command to duplicate it.
+
+The integer overflow bug exists in all versions of Redis starting with 2.6,
+where it could result with a corrupted RDB or DUMP payload, but not exploited
+through COPY (which did not exist before 6.2).
+---
+ src/intset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/intset.c b/src/intset.c
+index 198c90a..8d35536 100644
+--- a/src/intset.c
+++ b/src/intset.c
+@@ -278,7 +278,7 @@ uint32_t intsetLen(const intset *is) {
+ 
+ /* Return intset blob size in bytes. */
+ size_t intsetBlobLen(intset *is) {
+-    return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
+    return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
+ }
+ 
+ #ifdef REDIS_TEST
+-- 
+2.23.0
+
--- a/redis.spec
+++ b/redis.spec
@ -1,6 +1,6 @@
 Name:           redis
 Version:        4.0.11
-Release:        16
+Release:        17
 Summary:        A persistent key-value database
 License:        BSD and MIT
 URL:            https://redis.io
@ -21,6 +21,8 @@ Patch0007:      modify-aarch64-architecture-jemalloc-page-size-from-4k-to-64k.pa
 Patch0008:      huawei-deps-jemalloc-support-riscv.patch
 Patch0009:      CVE-2021-21309.patch
 Patch0010:      CVE-2021-3470.patch
+Patch0011:      CVE-2021-29478.patch
+
 BuildRequires:     systemd gcc
 Requires:          /bin/awk
 Requires:          logrotate
@ -47,6 +49,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
 %patch0008 -p1
 %patch0009 -p1
 %patch0010 -p1
+%patch0011 -p1

 sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf
 sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf
@ -104,6 +107,9 @@ exit 0
 %{_unitdir}/%{name}-sentinel.service

 %changelog
+* Tue Jun 08 2021 wangyue <wangyue92@huawei.com> - 4.0.11-17
+- Fix CVE-2021-29478
+
 * Mon May 31 2021 huanghaitao <huanghaitao8@huawei.com> - 4.0.11-16
 - Completing build dependencies to fix gcc compiler missing error