* [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477
@ 2021-07-16 18:47 Tony Tascioglu
2021-07-16 18:47 ` [meta-oe][hardknott][PATCH 2/2] redis: fix CVE-2021-29478 Tony Tascioglu
2021-07-17 13:50 ` [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477 Armin Kuster
0 siblings, 2 replies; 7+ messages in thread
From: Tony Tascioglu @ 2021-07-16 18:47 UTC (permalink / raw)
To: openembedded-devel; +Cc: randy.macleod, Tony Tascioglu
This patch backports the fix for CVE-2021-29477.
CVE: CVE-2021-29477
Upstream-Status: Backport
[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
An integer overflow bug in Redis version 6.0 or newer could be exploited using
the STRALGO LCS command to corrupt the heap and potentially result with remote
code execution.
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
---
.../redis/redis/fix-CVE-2021-29477.patch | 35 +++++++++++++++++++
meta-oe/recipes-extended/redis/redis_6.2.2.bb | 1 +
2 files changed, 36 insertions(+)
create mode 100644 meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
new file mode 100644
index 000000000..a5e5a1ba5
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
@@ -0,0 +1,35 @@
+From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Mon, 3 May 2021 08:32:31 +0300
+Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
+
+An integer overflow bug in Redis version 6.0 or newer could be exploited using
+the STRALGO LCS command to corrupt the heap and potentially result with remote
+code execution.
+
+CVE: CVE-2021-29477
+Upstream-Status: Backport
+[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+
+---
+ src/t_string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/t_string.c b/src/t_string.c
+index 9228c5ed0..db6f7042e 100644
+--- a/src/t_string.c
++++ b/src/t_string.c
+@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
+ /* Setup an uint32_t array to store at LCS[i,j] the length of the
+ * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
+ * we index it as LCS[j+(blen+1)*j] */
+- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
++ uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
+ #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
+
+ /* Start building the LCS table. */
+--
+2.32.0
+
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
index 65b525709..e89bb50f1 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://0001-src-Do-not-reset-FINAL_LIBS.patch \
file://GNU_SOURCE.patch \
file://0006-Define-correct-gregs-for-RISCV32.patch \
+ file://fix-CVE-2021-29477.patch \
"
SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* [meta-oe][hardknott][PATCH 2/2] redis: fix CVE-2021-29478
2021-07-16 18:47 [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477 Tony Tascioglu
@ 2021-07-16 18:47 ` Tony Tascioglu
2021-07-17 13:50 ` [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477 Armin Kuster
1 sibling, 0 replies; 7+ messages in thread
From: Tony Tascioglu @ 2021-07-16 18:47 UTC (permalink / raw)
To: openembedded-devel; +Cc: randy.macleod, Tony Tascioglu
This patch backports the fix for CVE-2021-29478
CVE: CVE-2021-29478
Upstream-Status: Backport
[https://github.com/redis/redis/commit/29900d4e6bccdf3691bedf0ea9a5d84863fa3592]
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
potentially result with remote code execution.
The vulnerability involves changing the default set-max-intset-entries
configuration value, creating a large set key that consists of integer values
and using the COPY command to duplicate it.
The integer overflow bug exists in all versions of Redis starting with 2.6,
where it could result with a corrupted RDB or DUMP payload, but not exploited
through COPY (which did not exist before 6.2).
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
---
.../redis/redis/fix-CVE-2021-29478.patch | 42 +++++++++++++++++++
meta-oe/recipes-extended/redis/redis_6.2.2.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch
diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch
new file mode 100644
index 000000000..ebbf6e1b9
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch
@@ -0,0 +1,42 @@
+From 29900d4e6bccdf3691bedf0ea9a5d84863fa3592 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Mon, 3 May 2021 08:27:22 +0300
+Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478)
+
+An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
+potentially result with remote code execution.
+
+The vulnerability involves changing the default set-max-intset-entries
+configuration value, creating a large set key that consists of integer values
+and using the COPY command to duplicate it.
+
+The integer overflow bug exists in all versions of Redis starting with 2.6,
+where it could result with a corrupted RDB or DUMP payload, but not exploited
+through COPY (which did not exist before 6.2).
+
+CVE: CVE-2021-29478
+Upstream-Status: Backport
+[https://github.com/redis/redis/commit/29900d4e6bccdf3691bedf0ea9a5d84863fa3592]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+
+---
+ src/intset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/intset.c b/src/intset.c
+index 1a64ecae8..9ba13898d 100644
+--- a/src/intset.c
++++ b/src/intset.c
+@@ -281,7 +281,7 @@ uint32_t intsetLen(const intset *is) {
+
+ /* Return intset blob size in bytes. */
+ size_t intsetBlobLen(intset *is) {
+- return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
++ return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
+ }
+
+ /* Validate the integrity of the data structure.
+--
+2.32.0
+
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
index e89bb50f1..a36c190af 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://GNU_SOURCE.patch \
file://0006-Define-correct-gregs-for-RISCV32.patch \
file://fix-CVE-2021-29477.patch \
+ file://fix-CVE-2021-29478.patch \
"
SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477
2021-07-16 18:47 [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477 Tony Tascioglu
2021-07-16 18:47 ` [meta-oe][hardknott][PATCH 2/2] redis: fix CVE-2021-29478 Tony Tascioglu
@ 2021-07-17 13:50 ` Armin Kuster
2021-07-17 18:09 ` Randy MacLeod
1 sibling, 1 reply; 7+ messages in thread
From: Armin Kuster @ 2021-07-17 13:50 UTC (permalink / raw)
To: Tony Tascioglu, openembedded-devel; +Cc: randy.macleod
On 7/16/21 11:47 AM, Tony Tascioglu wrote:
> This patch backports the fix for CVE-2021-29477.
>
> CVE: CVE-2021-29477
> Upstream-Status: Backport
> [https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
Thanks for the fixes. Any reason why updating to the latest stable 6.2.4
is not an option?
https://raw.githubusercontent.com/redis/redis/6.2/00-RELEASENOTES
- Armin
> An integer overflow bug in Redis version 6.0 or newer could be exploited using
> the STRALGO LCS command to corrupt the heap and potentially result with remote
> code execution.
>
> Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
> ---
> .../redis/redis/fix-CVE-2021-29477.patch | 35 +++++++++++++++++++
> meta-oe/recipes-extended/redis/redis_6.2.2.bb | 1 +
> 2 files changed, 36 insertions(+)
> create mode 100644 meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>
> diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
> new file mode 100644
> index 000000000..a5e5a1ba5
> --- /dev/null
> +++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
> @@ -0,0 +1,35 @@
> +From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
> +From: Oran Agra <oran@redislabs.com>
> +Date: Mon, 3 May 2021 08:32:31 +0300
> +Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
> +
> +An integer overflow bug in Redis version 6.0 or newer could be exploited using
> +the STRALGO LCS command to corrupt the heap and potentially result with remote
> +code execution.
> +
> +CVE: CVE-2021-29477
> +Upstream-Status: Backport
> +[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
> +
> +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
> +
> +---
> + src/t_string.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/t_string.c b/src/t_string.c
> +index 9228c5ed0..db6f7042e 100644
> +--- a/src/t_string.c
> ++++ b/src/t_string.c
> +@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
> + /* Setup an uint32_t array to store at LCS[i,j] the length of the
> + * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
> + * we index it as LCS[j+(blen+1)*j] */
> +- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
> ++ uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
> + #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
> +
> + /* Start building the LCS table. */
> +--
> +2.32.0
> +
> diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
> index 65b525709..e89bb50f1 100644
> --- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
> +++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
> @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
> file://0001-src-Do-not-reset-FINAL_LIBS.patch \
> file://GNU_SOURCE.patch \
> file://0006-Define-correct-gregs-for-RISCV32.patch \
> + file://fix-CVE-2021-29477.patch \
> "
> SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477
2021-07-17 13:50 ` [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477 Armin Kuster
@ 2021-07-17 18:09 ` Randy MacLeod
2021-07-17 23:12 ` Armin Kuster
0 siblings, 1 reply; 7+ messages in thread
From: Randy MacLeod @ 2021-07-17 18:09 UTC (permalink / raw)
To: akuster808, Tony Tascioglu, openembedded-devel
On 2021-07-17 9:50 a.m., akuster808 wrote:
>
> On 7/16/21 11:47 AM, Tony Tascioglu wrote:
>> This patch backports the fix for CVE-2021-29477.
>>
>> CVE: CVE-2021-29477
>> Upstream-Status: Backport
>> [https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
> Thanks for the fixes. Any reason why updating to the latest stable 6.2.4
> is not an option?
> https://raw.githubusercontent.com/redis/redis/6.2/00-RELEASENOTES
This commit adds a public function:
1916:void redactClientCommandArgument(client *c, int argc);
in:
https://github.com/redis/redis/commit/875a1f07d821dc5abe737b064018a27bbc7175d2
probably not a show stopper but it does affect the API in server.h.
I didn't check the rest of the commit carefully but we really need an
API/ABI
checker. I'm not sure how redis clients usually interact with the
server, are you?
It would be nice if this site were up to date:
https://abi-laboratory.pro/?view=timeline&l=hiredis
I guess Tony could try the tools that the site points to if
you like Armin.
../Randy
> - Armin
>> An integer overflow bug in Redis version 6.0 or newer could be exploited using
>> the STRALGO LCS command to corrupt the heap and potentially result with remote
>> code execution.
>>
>> Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>> ---
>> .../redis/redis/fix-CVE-2021-29477.patch | 35 +++++++++++++++++++
>> meta-oe/recipes-extended/redis/redis_6.2.2.bb | 1 +
>> 2 files changed, 36 insertions(+)
>> create mode 100644 meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>
>> diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>> new file mode 100644
>> index 000000000..a5e5a1ba5
>> --- /dev/null
>> +++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>> @@ -0,0 +1,35 @@
>> +From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
>> +From: Oran Agra <oran@redislabs.com>
>> +Date: Mon, 3 May 2021 08:32:31 +0300
>> +Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
>> +
>> +An integer overflow bug in Redis version 6.0 or newer could be exploited using
>> +the STRALGO LCS command to corrupt the heap and potentially result with remote
>> +code execution.
>> +
>> +CVE: CVE-2021-29477
>> +Upstream-Status: Backport
>> +[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
>> +
>> +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>> +
>> +---
>> + src/t_string.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/src/t_string.c b/src/t_string.c
>> +index 9228c5ed0..db6f7042e 100644
>> +--- a/src/t_string.c
>> ++++ b/src/t_string.c
>> +@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
>> + /* Setup an uint32_t array to store at LCS[i,j] the length of the
>> + * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
>> + * we index it as LCS[j+(blen+1)*j] */
>> +- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
>> ++ uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
>> + #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
>> +
>> + /* Start building the LCS table. */
>> +--
>> +2.32.0
>> +
>> diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>> index 65b525709..e89bb50f1 100644
>> --- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>> +++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>> @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
>> file://0001-src-Do-not-reset-FINAL_LIBS.patch \
>> file://GNU_SOURCE.patch \
>> file://0006-Define-correct-gregs-for-RISCV32.patch \
>> + file://fix-CVE-2021-29477.patch \
>> "
>> SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
>>
>>
>>
>>
--
# Randy MacLeod
# Wind River Linux
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477
2021-07-17 18:09 ` Randy MacLeod
@ 2021-07-17 23:12 ` Armin Kuster
2021-07-27 13:35 ` Randy MacLeod
0 siblings, 1 reply; 7+ messages in thread
From: Armin Kuster @ 2021-07-17 23:12 UTC (permalink / raw)
To: Randy MacLeod, Tony Tascioglu, openembedded-devel
On 7/17/21 11:09 AM, Randy MacLeod wrote:
> On 2021-07-17 9:50 a.m., akuster808 wrote:
>>
>> On 7/16/21 11:47 AM, Tony Tascioglu wrote:
>>> This patch backports the fix for CVE-2021-29477.
>>>
>>> CVE: CVE-2021-29477
>>> Upstream-Status: Backport
>>> [https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
>>>
>> Thanks for the fixes. Any reason why updating to the latest stable 6.2.4
>> is not an option?
>> https://raw.githubusercontent.com/redis/redis/6.2/00-RELEASENOTES
>
> This commit adds a public function:
>
> 1916:void redactClientCommandArgument(client *c, int argc);
> in:
> https://github.com/redis/redis/commit/875a1f07d821dc5abe737b064018a27bbc7175d2
>
>
> probably not a show stopper but it does affect the API in server.h.
>
> I didn't check the rest of the commit carefully but we really need an
> API/ABI
> checker. I'm not sure how redis clients usually interact with the
> server, are you?
>
> It would be nice if this site were up to date:
> https://abi-laboratory.pro/?view=timeline&l=hiredis
>
> I guess Tony could try the tools that the site points to if
> you like Armin.
Thanks for the info. Patches in this case are appropriate.
- Armin
>
> ../Randy
>
>
>> - Armin
>>> An integer overflow bug in Redis version 6.0 or newer could be
>>> exploited using
>>> the STRALGO LCS command to corrupt the heap and potentially result
>>> with remote
>>> code execution.
>>>
>>> Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>>> ---
>>> .../redis/redis/fix-CVE-2021-29477.patch | 35
>>> +++++++++++++++++++
>>> meta-oe/recipes-extended/redis/redis_6.2.2.bb | 1 +
>>> 2 files changed, 36 insertions(+)
>>> create mode 100644
>>> meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>
>>> diff --git
>>> a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>> b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>> new file mode 100644
>>> index 000000000..a5e5a1ba5
>>> --- /dev/null
>>> +++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>> @@ -0,0 +1,35 @@
>>> +From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
>>> +From: Oran Agra <oran@redislabs.com>
>>> +Date: Mon, 3 May 2021 08:32:31 +0300
>>> +Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
>>> +
>>> +An integer overflow bug in Redis version 6.0 or newer could be
>>> exploited using
>>> +the STRALGO LCS command to corrupt the heap and potentially result
>>> with remote
>>> +code execution.
>>> +
>>> +CVE: CVE-2021-29477
>>> +Upstream-Status: Backport
>>> +[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
>>>
>>> +
>>> +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>>> +
>>> +---
>>> + src/t_string.c | 2 +-
>>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>>> +
>>> +diff --git a/src/t_string.c b/src/t_string.c
>>> +index 9228c5ed0..db6f7042e 100644
>>> +--- a/src/t_string.c
>>> ++++ b/src/t_string.c
>>> +@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
>>> + /* Setup an uint32_t array to store at LCS[i,j] the length of the
>>> + * LCS A0..i-1, B0..j-1. Note that we have a linear array
>>> here, so
>>> + * we index it as LCS[j+(blen+1)*j] */
>>> +- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
>>> ++ uint32_t *lcs =
>>> zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
>>> + #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
>>> +
>>> + /* Start building the LCS table. */
>>> +--
>>> +2.32.0
>>> +
>>> diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>> b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>> index 65b525709..e89bb50f1 100644
>>> --- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>> +++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>> @@ -16,6 +16,7 @@ SRC_URI =
>>> "http://download.redis.io/releases/${BP}.tar.gz \
>>> file://0001-src-Do-not-reset-FINAL_LIBS.patch \
>>> file://GNU_SOURCE.patch \
>>> file://0006-Define-correct-gregs-for-RISCV32.patch \
>>> + file://fix-CVE-2021-29477.patch \
>>> "
>>> SRC_URI[sha256sum] =
>>> "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
>>>
>>>
>>>
>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477
2021-07-17 23:12 ` Armin Kuster
@ 2021-07-27 13:35 ` Randy MacLeod
2021-07-27 16:35 ` Armin Kuster
0 siblings, 1 reply; 7+ messages in thread
From: Randy MacLeod @ 2021-07-27 13:35 UTC (permalink / raw)
To: akuster808, Tony Tascioglu, openembedded-devel
On 2021-07-17 7:12 p.m., akuster808 wrote:
>
>
> On 7/17/21 11:09 AM, Randy MacLeod wrote:
>> On 2021-07-17 9:50 a.m., akuster808 wrote:
>>>
>>> On 7/16/21 11:47 AM, Tony Tascioglu wrote:
>>>> This patch backports the fix for CVE-2021-29477.
>>>>
>>>> CVE: CVE-2021-29477
>>>> Upstream-Status: Backport
>>>> [https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
>>>>
>>> Thanks for the fixes. Any reason why updating to the latest stable 6.2.4
>>> is not an option?
>>> https://raw.githubusercontent.com/redis/redis/6.2/00-RELEASENOTES
>>
>> This commit adds a public function:
>>
>> 1916:void redactClientCommandArgument(client *c, int argc);
>> in:
>> https://github.com/redis/redis/commit/875a1f07d821dc5abe737b064018a27bbc7175d2
>>
>>
>> probably not a show stopper but it does affect the API in server.h.
>>
>> I didn't check the rest of the commit carefully but we really need an
>> API/ABI
>> checker. I'm not sure how redis clients usually interact with the
>> server, are you?
>>
>> It would be nice if this site were up to date:
>> https://abi-laboratory.pro/?view=timeline&l=hiredis
>>
>> I guess Tony could try the tools that the site points to if
>> you like Armin.
>
> Thanks for the info. Patches in this case are appropriate.
>
> - Armin
Ping? I don't see this in hardknott yet...
../Randy
>>
>> ../Randy
>>
>>
>>> - Armin
>>>> An integer overflow bug in Redis version 6.0 or newer could be
>>>> exploited using
>>>> the STRALGO LCS command to corrupt the heap and potentially result
>>>> with remote
>>>> code execution.
>>>>
>>>> Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>>>> ---
>>>> .../redis/redis/fix-CVE-2021-29477.patch | 35
>>>> +++++++++++++++++++
>>>> meta-oe/recipes-extended/redis/redis_6.2.2.bb | 1 +
>>>> 2 files changed, 36 insertions(+)
>>>> create mode 100644
>>>> meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>>
>>>> diff --git
>>>> a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>> b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>> new file mode 100644
>>>> index 000000000..a5e5a1ba5
>>>> --- /dev/null
>>>> +++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>> @@ -0,0 +1,35 @@
>>>> +From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
>>>> +From: Oran Agra <oran@redislabs.com>
>>>> +Date: Mon, 3 May 2021 08:32:31 +0300
>>>> +Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
>>>> +
>>>> +An integer overflow bug in Redis version 6.0 or newer could be
>>>> exploited using
>>>> +the STRALGO LCS command to corrupt the heap and potentially result
>>>> with remote
>>>> +code execution.
>>>> +
>>>> +CVE: CVE-2021-29477
>>>> +Upstream-Status: Backport
>>>> +[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
>>>>
>>>> +
>>>> +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>>>> +
>>>> +---
>>>> + src/t_string.c | 2 +-
>>>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>>>> +
>>>> +diff --git a/src/t_string.c b/src/t_string.c
>>>> +index 9228c5ed0..db6f7042e 100644
>>>> +--- a/src/t_string.c
>>>> ++++ b/src/t_string.c
>>>> +@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
>>>> + /* Setup an uint32_t array to store at LCS[i,j] the length of the
>>>> + * LCS A0..i-1, B0..j-1. Note that we have a linear array
>>>> here, so
>>>> + * we index it as LCS[j+(blen+1)*j] */
>>>> +- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
>>>> ++ uint32_t *lcs =
>>>> zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
>>>> + #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
>>>> +
>>>> + /* Start building the LCS table. */
>>>> +--
>>>> +2.32.0
>>>> +
>>>> diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>> b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>> index 65b525709..e89bb50f1 100644
>>>> --- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>> +++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>> @@ -16,6 +16,7 @@ SRC_URI =
>>>> "http://download.redis.io/releases/${BP}.tar.gz \
>>>> file://0001-src-Do-not-reset-FINAL_LIBS.patch \
>>>> file://GNU_SOURCE.patch \
>>>> file://0006-Define-correct-gregs-for-RISCV32.patch \
>>>> + file://fix-CVE-2021-29477.patch \
>>>> "
>>>> SRC_URI[sha256sum] =
>>>> "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
>>>>
>>>>
>>>>
>>
>
--
# Randy MacLeod
# Wind River Linux
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477
2021-07-27 13:35 ` Randy MacLeod
@ 2021-07-27 16:35 ` Armin Kuster
0 siblings, 0 replies; 7+ messages in thread
From: Armin Kuster @ 2021-07-27 16:35 UTC (permalink / raw)
To: Randy MacLeod, Tony Tascioglu, openembedded-devel
On 7/27/21 6:35 AM, Randy MacLeod wrote:
> On 2021-07-17 7:12 p.m., akuster808 wrote:
>>
>>
>> On 7/17/21 11:09 AM, Randy MacLeod wrote:
>>> On 2021-07-17 9:50 a.m., akuster808 wrote:
>>>>
>>>> On 7/16/21 11:47 AM, Tony Tascioglu wrote:
>>>>> This patch backports the fix for CVE-2021-29477.
>>>>>
>>>>> CVE: CVE-2021-29477
>>>>> Upstream-Status: Backport
>>>>> [https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
>>>>>
>>>>>
>>>> Thanks for the fixes. Any reason why updating to the latest stable
>>>> 6.2.4
>>>> is not an option?
>>>> https://raw.githubusercontent.com/redis/redis/6.2/00-RELEASENOTES
>>>
>>> This commit adds a public function:
>>>
>>> 1916:void redactClientCommandArgument(client *c, int argc);
>>> in:
>>> https://github.com/redis/redis/commit/875a1f07d821dc5abe737b064018a27bbc7175d2
>>>
>>>
>>>
>>> probably not a show stopper but it does affect the API in server.h.
>>>
>>> I didn't check the rest of the commit carefully but we really need an
>>> API/ABI
>>> checker. I'm not sure how redis clients usually interact with the
>>> server, are you?
>>>
>>> It would be nice if this site were up to date:
>>> https://abi-laboratory.pro/?view=timeline&l=hiredis
>>>
>>> I guess Tony could try the tools that the site points to if
>>> you like Armin.
>>
>> Thanks for the info. Patches in this case are appropriate.
>>
>> - Armin
>
> Ping? I don't see this in hardknott yet...
right. but its in stable/hardknott-nut still running through process.
-armin
> ../Randy
>
>>>
>>> ../Randy
>>>
>>>
>>>> - Armin
>>>>> An integer overflow bug in Redis version 6.0 or newer could be
>>>>> exploited using
>>>>> the STRALGO LCS command to corrupt the heap and potentially result
>>>>> with remote
>>>>> code execution.
>>>>>
>>>>> Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>>>>> ---
>>>>> .../redis/redis/fix-CVE-2021-29477.patch | 35
>>>>> +++++++++++++++++++
>>>>> meta-oe/recipes-extended/redis/redis_6.2.2.bb | 1 +
>>>>> 2 files changed, 36 insertions(+)
>>>>> create mode 100644
>>>>> meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>>>
>>>>> diff --git
>>>>> a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>>> b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>>> new file mode 100644
>>>>> index 000000000..a5e5a1ba5
>>>>> --- /dev/null
>>>>> +++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>>> @@ -0,0 +1,35 @@
>>>>> +From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00
>>>>> 2001
>>>>> +From: Oran Agra <oran@redislabs.com>
>>>>> +Date: Mon, 3 May 2021 08:32:31 +0300
>>>>> +Subject: [PATCH] Fix integer overflow in STRALGO LCS
>>>>> (CVE-2021-29477)
>>>>> +
>>>>> +An integer overflow bug in Redis version 6.0 or newer could be
>>>>> exploited using
>>>>> +the STRALGO LCS command to corrupt the heap and potentially result
>>>>> with remote
>>>>> +code execution.
>>>>> +
>>>>> +CVE: CVE-2021-29477
>>>>> +Upstream-Status: Backport
>>>>> +[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
>>>>>
>>>>>
>>>>> +
>>>>> +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>>>>> +
>>>>> +---
>>>>> + src/t_string.c | 2 +-
>>>>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>> +
>>>>> +diff --git a/src/t_string.c b/src/t_string.c
>>>>> +index 9228c5ed0..db6f7042e 100644
>>>>> +--- a/src/t_string.c
>>>>> ++++ b/src/t_string.c
>>>>> +@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
>>>>> + /* Setup an uint32_t array to store at LCS[i,j] the length
>>>>> of the
>>>>> + * LCS A0..i-1, B0..j-1. Note that we have a linear array
>>>>> here, so
>>>>> + * we index it as LCS[j+(blen+1)*j] */
>>>>> +- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
>>>>> ++ uint32_t *lcs =
>>>>> zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
>>>>> + #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
>>>>> +
>>>>> + /* Start building the LCS table. */
>>>>> +--
>>>>> +2.32.0
>>>>> +
>>>>> diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>>> b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>>> index 65b525709..e89bb50f1 100644
>>>>> --- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>>> +++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>>> @@ -16,6 +16,7 @@ SRC_URI =
>>>>> "http://download.redis.io/releases/${BP}.tar.gz \
>>>>> file://0001-src-Do-not-reset-FINAL_LIBS.patch \
>>>>> file://GNU_SOURCE.patch \
>>>>> file://0006-Define-correct-gregs-for-RISCV32.patch \
>>>>> + file://fix-CVE-2021-29477.patch \
>>>>> "
>>>>> SRC_URI[sha256sum] =
>>>>> "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
>>>>>
>>>>>
>>>
>>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-07-27 16:36 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-16 18:47 [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477 Tony Tascioglu
2021-07-16 18:47 ` [meta-oe][hardknott][PATCH 2/2] redis: fix CVE-2021-29478 Tony Tascioglu
2021-07-17 13:50 ` [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477 Armin Kuster
2021-07-17 18:09 ` Randy MacLeod
2021-07-17 23:12 ` Armin Kuster
2021-07-27 13:35 ` Randy MacLeod
2021-07-27 16:35 ` Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.