import redis-7.0.12-2.module+el9.3.0+21263+4e58afe8

10 months ago · e7be4032a8
parent 98836aae67
commit e7be4032a8
2 changed files with 63 additions and 1 deletions
--- a/SOURCES/redis-CVE-2023-41056.patch
+++ b/SOURCES/redis-CVE-2023-41056.patch
@ -0,0 +1,54 @@
+From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Sun, 7 Jan 2024 12:32:44 +0200
+Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
+
+#11766 introduced a bug in sdsResize where it could forget to update
+the sds type in the sds header and then cause an overflow in sdsalloc.
+it looks like the only implication of that is a possible assertion in HLL,
+but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
+---
+ src/sds.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/src/sds.c b/src/sds.c
+index 8e5863a3ab8e..71490d5b2522 100644
+--- a/src/sds.c
+++ b/src/sds.c
+@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
+      * type. */
+     int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8));
+     size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
+-    int alloc_already_optimal = 0;
+-    #if defined(USE_JEMALLOC)
+-        /* je_nallocx returns the expected allocation size for the newlen.
+-         * We aim to avoid calling realloc() when using Jemalloc if there is no
+-         * change in the allocation size, as it incurs a cost even if the
+-         * allocation size stays the same. */
+-        alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
+-    #endif
+-
+-    if (use_realloc && !alloc_already_optimal) {
+-        newsh = s_realloc(sh, newlen);
+-        if (newsh == NULL) return NULL;
+-        s = (char*)newsh+oldhdrlen;
+-    } else if (!alloc_already_optimal) {
+
+    if (use_realloc) {
+        int alloc_already_optimal = 0;
+        #if defined(USE_JEMALLOC)
+            /* je_nallocx returns the expected allocation size for the newlen.
+             * We aim to avoid calling realloc() when using Jemalloc if there is no
+             * change in the allocation size, as it incurs a cost even if the
+             * allocation size stays the same. */
+            alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
+        #endif
+        if (!alloc_already_optimal) {
+            newsh = s_realloc(sh, newlen);
+            if (newsh == NULL) return NULL;
+            s = (char*)newsh+oldhdrlen;
+        }
+    } else {
+         newsh = s_malloc(newlen);
+         if (newsh == NULL) return NULL;
+         memcpy((char*)newsh+hdrlen, s, len);
--- a/SPECS/redis.spec
+++ b/SPECS/redis.spec
@ -23,7 +23,7 @@

 Name:              redis
 Version:           7.0.12
-Release:           1%{?dist}
+Release:           2%{?dist}
 Summary:           A persistent key-value database
 # redis, hiredis: BSD-3-Clause
 # hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause
@ -48,6 +48,9 @@ Source10:          https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/
 Patch0001:         0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
 Patch0002:         0002-deps-jemalloc-Do-not-force-building-in-gnu99-mode.patch

+# Security patches
+Patch100:          redis-CVE-2023-41056.patch
+
 BuildRequires: make
 BuildRequires:     gcc
 %if %{with tests}
@ -134,6 +137,7 @@ administration and development.
 mv ../%{name}-doc-%{doc_commit} doc
 %patch -P0001 -p1
 %patch -P0002 -p1
+%patch -P100  -p1

 mv deps/lua/COPYRIGHT    COPYRIGHT-lua
 mv deps/jemalloc/COPYING COPYING-jemalloc
@ -302,6 +306,10 @@ fi


 %changelog
+* Tue Feb  6 2024 Remi Collet <rcollet@redhat.com> - 7.0.12-2
+- Heap Buffer Overflow may lead to potential remote code execution
+  CVE-2023-41056
+
 * Tue Jul 11 2023 Remi Collet <rcollet@redhat.com> - 7.0.12-1
 - rebase to 7.0.12 #2221899