redis: patch CVE-2025-49844

Patch backported from redis repository:
https://github.com/redis/redis/commit/db884a49bfbbccd7a0463ddc6aa486b52f28386f
https://github.com/redis/redis/commit/5785f3e6e5aa13a9f0e5e1576b398eb4f7d3bb13

Signed-off-by: Jakub Szczudlo <jakubszczudlo40@gmail.com>
---
 .../redis/redis-7.2.8/CVE-2025-49844.patch    | 36 +++++++++++++++++++
 .../redis/redis/CVE-2025-49844.patch          | 35 ++++++++++++++++++
 .../recipes-extended/redis/redis_6.2.14.bb    |  1 +
 meta-oe/recipes-extended/redis/redis_7.2.8.bb |  1 +
 4 files changed, 73 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-49844.patch
 create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2025-49844.patch

This CVE supposed to be fixed in both versions of the redis recipes:
the current recipes are using versions 6.2.20 and 7.2.11 respectively,
both of which contain these commits already.

On 10/13/25 17:44, Jakub Szczudlo via lists.openembedded.org wrote:
> Patch backported from redis repository:
> https://github.com/redis/redis/commit/db884a49bfbbccd7a0463ddc6aa486b52f28386f
> https://github.com/redis/redis/commit/5785f3e6e5aa13a9f0e5e1576b398eb4f7d3bb13
>
> Signed-off-by: Jakub Szczudlo <jakubszczudlo40@gmail.com>
> ---
>  .../redis/redis-7.2.8/CVE-2025-49844.patch    | 36 +++++++++++++++++++
>  .../redis/redis/CVE-2025-49844.patch          | 35 ++++++++++++++++++
>  .../recipes-extended/redis/redis_6.2.14.bb    |  1 +
>  meta-oe/recipes-extended/redis/redis_7.2.8.bb |  1 +
>  4 files changed, 73 insertions(+)
>  create mode 100644 meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-49844.patch
>  create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2025-49844.patch
>
> diff --git a/meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-49844.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-49844.patch
> new file mode 100644
> index 0000000000..2f3be11711
> --- /dev/null
> +++ b/meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-49844.patch
> @@ -0,0 +1,36 @@
> +From d5728cb5795c966c5b5b1e0f0ac576a7e69af539 Mon Sep 17 00:00:00 2001
> +From: Mincho Paskalev <minchopaskal@gmail.com>
> +Date: Mon, 23 Jun 2025 11:41:37 +0300
> +Subject: [PATCH] Lua script may lead to remote code execution (CVE-2025-49844)
> +
> +
> +Upstream-Status: Backport [https://github.com/redis/redis/commit/db884a49bfbbccd7a0463ddc6aa486b52f28386f]
> +CVE: CVE-2025-49844
> +Signed-off-by: Jakub Szczudlo <jakubszczudlo40@gmail.com>
> +---
> + deps/lua/src/lparser.c | 6 +++++-
> + 1 file changed, 5 insertions(+), 1 deletion(-)
> +
> +diff --git a/deps/lua/src/lparser.c b/deps/lua/src/lparser.c
> +index dda7488dcad..ee7d90c90d7 100644
> +--- a/deps/lua/src/lparser.c
> ++++ b/deps/lua/src/lparser.c
> +@@ -384,13 +384,17 @@ Proto *luaY_parser (lua_State *L, ZIO *z, Mbuffer *buff, const char *name) {
> +   struct LexState lexstate;
> +   struct FuncState funcstate;
> +   lexstate.buff = buff;
> +-  luaX_setinput(L, &lexstate, z, luaS_new(L, name));
> ++  TString *tname = luaS_new(L, name);
> ++  setsvalue2s(L, L->top, tname);
> ++  incr_top(L);
> ++  luaX_setinput(L, &lexstate, z, tname);
> +   open_func(&lexstate, &funcstate);
> +   funcstate.f->is_vararg = VARARG_ISVARARG;  /* main func. is always vararg */
> +   luaX_next(&lexstate);  /* read first token */
> +   chunk(&lexstate);
> +   check(&lexstate, TK_EOS);
> +   close_func(&lexstate);
> ++  --L->top;
> +   lua_assert(funcstate.prev == NULL);
> +   lua_assert(funcstate.f->nups == 0);
> +   lua_assert(lexstate.fs == NULL);
> diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2025-49844.patch b/meta-oe/recipes-extended/redis/redis/CVE-2025-49844.patch
> new file mode 100644
> index 0000000000..68974b3d3b
> --- /dev/null
> +++ b/meta-oe/recipes-extended/redis/redis/CVE-2025-49844.patch
> @@ -0,0 +1,35 @@
> +From d5728cb5795c966c5b5b1e0f0ac576a7e69af539 Mon Sep 17 00:00:00 2001
> +From: Mincho Paskalev <minchopaskal@gmail.com>
> +Date: Mon, 23 Jun 2025 11:41:37 +0300
> +Subject: [PATCH] Lua script may lead to remote code execution (CVE-2025-49844)
> +
> +Upstream-Status: Backport [https://github.com/redis/redis/commit/5785f3e6e5aa13a9f0e5e1576b398eb4f7d3bb13]
> +CVE: CVE-2025-49844
> +Signed-off-by: Jakub Szczudlo <jakubszczudlo40@gmail.com>
> +---
> + deps/lua/src/lparser.c | 6 +++++-
> + 1 file changed, 5 insertions(+), 1 deletion(-)
> +
> +diff --git a/deps/lua/src/lparser.c b/deps/lua/src/lparser.c
> +index dda7488dcad..ee7d90c90d7 100644
> +--- a/deps/lua/src/lparser.c
> ++++ b/deps/lua/src/lparser.c
> +@@ -384,13 +384,17 @@ Proto *luaY_parser (lua_State *L, ZIO *z, Mbuffer *buff, const char *name) {
> +   struct LexState lexstate;
> +   struct FuncState funcstate;
> +   lexstate.buff = buff;
> +-  luaX_setinput(L, &lexstate, z, luaS_new(L, name));
> ++  TString *tname = luaS_new(L, name);
> ++  setsvalue2s(L, L->top, tname);
> ++  incr_top(L);
> ++  luaX_setinput(L, &lexstate, z, tname);
> +   open_func(&lexstate, &funcstate);
> +   funcstate.f->is_vararg = VARARG_ISVARARG;  /* main func. is always vararg */
> +   luaX_next(&lexstate);  /* read first token */
> +   chunk(&lexstate);
> +   check(&lexstate, TK_EOS);
> +   close_func(&lexstate);
> ++  --L->top;
> +   lua_assert(funcstate.prev == NULL);
> +   lua_assert(funcstate.f->nups == 0);
> +   lua_assert(lexstate.fs == NULL);
> diff --git a/meta-oe/recipes-extended/redis/redis_6.2.14.bb b/meta-oe/recipes-extended/redis/redis_6.2.14.bb
> index fa430ce402..7383a83842 100644
> --- a/meta-oe/recipes-extended/redis/redis_6.2.14.bb
> +++ b/meta-oe/recipes-extended/redis/redis_6.2.14.bb
> @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
>             file://0001-src-Do-not-reset-FINAL_LIBS.patch \
>             file://GNU_SOURCE.patch \
>             file://0006-Define-correct-gregs-for-RISCV32.patch \
> +           file://CVE-2025-49844.patch \
>             "
>  SRC_URI[sha256sum] = "34e74856cbd66fdb3a684fb349d93961d8c7aa668b06f81fd93ff267d09bc277"
>  
> diff --git a/meta-oe/recipes-extended/redis/redis_7.2.8.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb
> index a1739b4f30..6b5509f542 100644
> --- a/meta-oe/recipes-extended/redis/redis_7.2.8.bb
> +++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb
> @@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
>             file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \
>             file://0006-Define-correct-gregs-for-RISCV32.patch \
>             file://CVE-2025-32023.patch \
> +           file://CVE-2025-49844.patch \
>            "
>  
>  SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#120541): https://lists.openembedded.org/g/openembedded-devel/message/120541
> Mute This Topic: https://lists.openembedded.org/mt/115736666/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Do we also want to bump redis up with version on kirkstone and scarthgap? Or port the CVE patches?

On 10/14/25 21:30, Jakub Szczudlo via lists.openembedded.org wrote:
> Do we also want to bump redis up with version on kirkstone and
> scarthgap? Or port the CVE patches?
>

Having this fixed in those branches also would be really nice.
Version bumps *may* be acceptable, in case the bump isn't too big:
normally only bugfix releases are accepted in those branches -
backported patch is a safer bet usually. (At this moment don't know
which versions are in those branches from the top of my head)