Re: [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477

From: "Armin Kuster" <akuster808@gmail.com>
To: Randy MacLeod <randy.macleod@windriver.com>,
	Tony Tascioglu <tony.tascioglu@windriver.com>,
	openembedded-devel@lists.openembedded.org
Subject: Re: [oe] [meta-oe][hardknott][PATCH 1/2] redis: fix CVE-2021-29477
Date: Tue, 27 Jul 2021 09:35:58 -0700	[thread overview]
Message-ID: <c3bcadd9-dc2d-c406-9e0b-4f9ed9442ed2@gmail.com> (raw)
In-Reply-To: <a61803b6-5db1-5f9c-ba04-8af0d8b3f24f@windriver.com>


On 7/27/21 6:35 AM, Randy MacLeod wrote:
> On 2021-07-17 7:12 p.m., akuster808 wrote:
>>
>>
>> On 7/17/21 11:09 AM, Randy MacLeod wrote:
>>> On 2021-07-17 9:50 a.m., akuster808 wrote:
>>>>
>>>> On 7/16/21 11:47 AM, Tony Tascioglu wrote:
>>>>> This patch backports the fix for CVE-2021-29477.
>>>>>
>>>>> CVE: CVE-2021-29477
>>>>> Upstream-Status: Backport
>>>>> [https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
>>>>>
>>>>>
>>>> Thanks for the fixes. Any reason why updating to the latest stable
>>>> 6.2.4
>>>> is not an option?
>>>> https://raw.githubusercontent.com/redis/redis/6.2/00-RELEASENOTES
>>>
>>> This commit adds a public function:
>>>
>>>     1916:void redactClientCommandArgument(client *c, int argc);
>>> in:
>>> https://github.com/redis/redis/commit/875a1f07d821dc5abe737b064018a27bbc7175d2
>>>
>>>
>>>
>>> probably not a show stopper but it does affect the API in server.h.
>>>
>>> I didn't check the rest of the commit carefully but we really need an
>>> API/ABI
>>> checker. I'm not sure how redis clients usually interact with the
>>> server, are you?
>>>
>>> It would be nice if this site were up to date:
>>>     https://abi-laboratory.pro/?view=timeline&l=hiredis
>>>
>>> I guess Tony could try the tools that the site points to if
>>> you like Armin.
>>
>> Thanks for the info. Patches in this case are appropriate.
>>
>> - Armin
>
> Ping? I don't see this in hardknott yet...
right. but its in stable/hardknott-nut still running through process.

-armin
> ../Randy
>
>>>
>>> ../Randy
>>>
>>>
>>>> - Armin
>>>>> An integer overflow bug in Redis version 6.0 or newer could be
>>>>> exploited using
>>>>> the STRALGO LCS command to corrupt the heap and potentially result
>>>>> with remote
>>>>> code execution.
>>>>>
>>>>> Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>>>>> ---
>>>>>    .../redis/redis/fix-CVE-2021-29477.patch      | 35
>>>>> +++++++++++++++++++
>>>>>    meta-oe/recipes-extended/redis/redis_6.2.2.bb |  1 +
>>>>>    2 files changed, 36 insertions(+)
>>>>>    create mode 100644
>>>>> meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>>>
>>>>> diff --git
>>>>> a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>>> b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>>> new file mode 100644
>>>>> index 000000000..a5e5a1ba5
>>>>> --- /dev/null
>>>>> +++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
>>>>> @@ -0,0 +1,35 @@
>>>>> +From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00
>>>>> 2001
>>>>> +From: Oran Agra <oran@redislabs.com>
>>>>> +Date: Mon, 3 May 2021 08:32:31 +0300
>>>>> +Subject: [PATCH] Fix integer overflow in STRALGO LCS
>>>>> (CVE-2021-29477)
>>>>> +
>>>>> +An integer overflow bug in Redis version 6.0 or newer could be
>>>>> exploited using
>>>>> +the STRALGO LCS command to corrupt the heap and potentially result
>>>>> with remote
>>>>> +code execution.
>>>>> +
>>>>> +CVE: CVE-2021-29477
>>>>> +Upstream-Status: Backport
>>>>> +[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
>>>>>
>>>>>
>>>>> +
>>>>> +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
>>>>> +
>>>>> +---
>>>>> + src/t_string.c | 2 +-
>>>>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>> +
>>>>> +diff --git a/src/t_string.c b/src/t_string.c
>>>>> +index 9228c5ed0..db6f7042e 100644
>>>>> +--- a/src/t_string.c
>>>>> ++++ b/src/t_string.c
>>>>> +@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
>>>>> +     /* Setup an uint32_t array to store at LCS[i,j] the length
>>>>> of the
>>>>> +      * LCS A0..i-1, B0..j-1. Note that we have a linear array
>>>>> here, so
>>>>> +      * we index it as LCS[j+(blen+1)*j] */
>>>>> +-    uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
>>>>> ++    uint32_t *lcs =
>>>>> zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
>>>>> +     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
>>>>> +
>>>>> +     /* Start building the LCS table. */
>>>>> +--
>>>>> +2.32.0
>>>>> +
>>>>> diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>>> b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>>> index 65b525709..e89bb50f1 100644
>>>>> --- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>>> +++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
>>>>> @@ -16,6 +16,7 @@ SRC_URI =
>>>>> "http://download.redis.io/releases/${BP}.tar.gz \
>>>>>               file://0001-src-Do-not-reset-FINAL_LIBS.patch \
>>>>>               file://GNU_SOURCE.patch \
>>>>>               file://0006-Define-correct-gregs-for-RISCV32.patch \
>>>>> +           file://fix-CVE-2021-29477.patch \
>>>>>               "
>>>>>    SRC_URI[sha256sum] =
>>>>> "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
>>>>>   
>>>>>
>>>
>>
>
>