new file mode 100644
@@ -0,0 +1,283 @@
+From dccb672d838f05c940f040c27b74fde6fb47b2a7 Mon Sep 17 00:00:00 2001
+From: Ozan Tezcan <ozantezcan@gmail.com>
+Date: Mon, 23 Jun 2025 12:10:12 +0300
+Subject: [PATCH] Lua script can be executed in the context of another user
+ (CVE-2025-46818)
+
+Upstream-Status: Backport [https://github.com/redis/redis/commit/dccb672d838f05c940f040c27b74fde6fb47b2a7]
+CVE: CVE-2025-46818
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/config.c | 1 +
+ src/eval.c | 2 ++
+ src/function_lua.c | 2 ++
+ src/script_lua.c | 59 +++++++++++++++++++++++++++++----
+ src/script_lua.h | 1 +
+ src/server.h | 1 +
+ tests/unit/scripting.tcl | 70 ++++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 129 insertions(+), 7 deletions(-)
+
+diff --git a/src/config.c b/src/config.c
+index bfb49ef..d232eaf 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -3011,6 +3011,7 @@ standardConfig static_configs[] = {
+ createBoolConfig("latency-tracking", NULL, MODIFIABLE_CONFIG, server.latency_tracking_enabled, 1, NULL, NULL),
+ createBoolConfig("aof-disable-auto-gc", NULL, MODIFIABLE_CONFIG, server.aof_disable_auto_gc, 0, NULL, updateAofAutoGCEnabled),
+ createBoolConfig("replica-ignore-disk-write-errors", NULL, MODIFIABLE_CONFIG, server.repl_ignore_disk_write_error, 0, NULL, NULL),
++ createBoolConfig("lua-enable-deprecated-api", NULL, IMMUTABLE_CONFIG | HIDDEN_CONFIG, server.lua_enable_deprecated_api, 0, NULL, NULL),
+
+ /* String Configs */
+ createStringConfig("aclfile", NULL, IMMUTABLE_CONFIG, ALLOW_EMPTY_STRING, server.acl_filename, "", NULL, NULL),
+diff --git a/src/eval.c b/src/eval.c
+index a562335..f39ccc9 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -261,6 +261,8 @@ void scriptingInit(int setup) {
+ /* Recursively lock all tables that can be reached from the global table */
+ luaSetTableProtectionRecursively(lua);
+ lua_pop(lua, 1);
++ /* Set metatables of basic types (string, number, nil etc.) readonly. */
++ luaSetTableProtectionForBasicTypes(lua);
+
+ lctx.lua = lua;
+ }
+diff --git a/src/function_lua.c b/src/function_lua.c
+index aedadb0..9450437 100644
+--- a/src/function_lua.c
++++ b/src/function_lua.c
+@@ -490,6 +490,8 @@ int luaEngineInitEngine() {
+ lua_enablereadonlytable(lua_engine_ctx->lua, -1, 1); /* protect the new global table */
+ lua_replace(lua_engine_ctx->lua, LUA_GLOBALSINDEX); /* set new global table as the new globals */
+
++ /* Set metatables of basic types (string, number, nil etc.) readonly. */
++ luaSetTableProtectionForBasicTypes(lua_engine_ctx->lua);
+
+ engine *lua_engine = zmalloc(sizeof(*lua_engine));
+ *lua_engine = (engine) {
+diff --git a/src/script_lua.c b/src/script_lua.c
+index 33ed2aa..25a798f 100644
+--- a/src/script_lua.c
++++ b/src/script_lua.c
+@@ -65,7 +65,6 @@ static char *redis_api_allow_list[] = {
+ static char *lua_builtins_allow_list[] = {
+ "xpcall",
+ "tostring",
+- "getfenv",
+ "setmetatable",
+ "next",
+ "assert",
+@@ -86,15 +85,16 @@ static char *lua_builtins_allow_list[] = {
+ "loadstring",
+ "ipairs",
+ "_VERSION",
+- "setfenv",
+ "load",
+ "error",
+ NULL,
+ };
+
+-/* Lua builtins which are not documented on the Lua documentation */
+-static char *lua_builtins_not_documented_allow_list[] = {
++/* Lua builtins which are deprecated for sandboxing concerns */
++static char *lua_builtins_deprecated[] = {
+ "newproxy",
++ "setfenv",
++ "getfenv",
+ NULL,
+ };
+
+@@ -116,7 +116,6 @@ static char **allow_lists[] = {
+ libraries_allow_list,
+ redis_api_allow_list,
+ lua_builtins_allow_list,
+- lua_builtins_not_documented_allow_list,
+ lua_builtins_removed_after_initialization_allow_list,
+ NULL,
+ };
+@@ -1323,7 +1322,22 @@ static int luaNewIndexAllowList(lua_State *lua) {
+ break;
+ }
+ }
+- if (!*allow_l) {
++
++ int allowed = (*allow_l != NULL);
++ /* If not explicitly allowed, check if it's a deprecated function. If so,
++ * allow it only if 'lua_enable_deprecated_api' config is enabled. */
++ int deprecated = 0;
++ if (!allowed) {
++ char **c = lua_builtins_deprecated;
++ for (; *c; ++c) {
++ if (strcmp(*c, variable_name) == 0) {
++ deprecated = 1;
++ allowed = server.lua_enable_deprecated_api ? 1 : 0;
++ break;
++ }
++ }
++ }
++ if (!allowed) {
+ /* Search the value on the back list, if its there we know that it was removed
+ * on purpose and there is no need to print a warning. */
+ char **c = deny_list;
+@@ -1332,7 +1346,7 @@ static int luaNewIndexAllowList(lua_State *lua) {
+ break;
+ }
+ }
+- if (!*c) {
++ if (!*c && !deprecated) {
+ serverLog(LL_WARNING, "A key '%s' was added to Lua globals which is not on the globals allow list nor listed on the deny list.", variable_name);
+ }
+ } else {
+@@ -1384,6 +1398,37 @@ void luaSetTableProtectionRecursively(lua_State *lua) {
+ }
+ }
+
++/* Set the readonly flag on the metatable of basic types (string, nil etc.) */
++void luaSetTableProtectionForBasicTypes(lua_State *lua) {
++ static const int types[] = {
++ LUA_TSTRING,
++ LUA_TNUMBER,
++ LUA_TBOOLEAN,
++ LUA_TNIL,
++ LUA_TFUNCTION,
++ LUA_TTHREAD,
++ LUA_TLIGHTUSERDATA
++ };
++
++ for (size_t i = 0; i < sizeof(types) / sizeof(types[0]); i++) {
++ /* Push a dummy value of the type to get its metatable */
++ switch (types[i]) {
++ case LUA_TSTRING: lua_pushstring(lua, ""); break;
++ case LUA_TNUMBER: lua_pushnumber(lua, 0); break;
++ case LUA_TBOOLEAN: lua_pushboolean(lua, 0); break;
++ case LUA_TNIL: lua_pushnil(lua); break;
++ case LUA_TFUNCTION: lua_pushcfunction(lua, NULL); break;
++ case LUA_TTHREAD: lua_newthread(lua); break;
++ case LUA_TLIGHTUSERDATA: lua_pushlightuserdata(lua, (void*)lua); break;
++ }
++ if (lua_getmetatable(lua, -1)) {
++ luaSetTableProtectionRecursively(lua);
++ lua_pop(lua, 1); /* pop metatable */
++ }
++ lua_pop(lua, 1); /* pop dummy value */
++ }
++}
++
+ void luaRegisterVersion(lua_State* lua) {
+ lua_pushstring(lua,"REDIS_VERSION_NUM");
+ lua_pushnumber(lua,REDIS_VERSION_NUM);
+diff --git a/src/script_lua.h b/src/script_lua.h
+index 4c2b348..d8a3688 100644
+--- a/src/script_lua.h
++++ b/src/script_lua.h
+@@ -71,6 +71,7 @@ void luaRegisterGlobalProtectionFunction(lua_State *lua);
+ void luaSetErrorMetatable(lua_State *lua);
+ void luaSetAllowListProtection(lua_State *lua);
+ void luaSetTableProtectionRecursively(lua_State *lua);
++void luaSetTableProtectionForBasicTypes(lua_State *lua);
+ void luaRegisterLogFunction(lua_State* lua);
+ void luaRegisterVersion(lua_State* lua);
+ void luaPushErrorBuff(lua_State *lua, sds err_buff);
+diff --git a/src/server.h b/src/server.h
+index 82e4db9..952135f 100644
+--- a/src/server.h
++++ b/src/server.h
+@@ -1900,6 +1900,7 @@ struct redisServer {
+ mstime_t busy_reply_threshold; /* Script / module timeout in milliseconds */
+ int pre_command_oom_state; /* OOM before command (script?) was started */
+ int script_disable_deny_script; /* Allow running commands marked "no-script" inside a script. */
++ int lua_enable_deprecated_api; /* Config to enable deprecated api */
+ /* Lazy free */
+ int lazyfree_lazy_eviction;
+ int lazyfree_lazy_expire;
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index d2fd6da..58f2028 100644
+--- a/tests/unit/scripting.tcl
++++ b/tests/unit/scripting.tcl
+@@ -1021,6 +1021,27 @@ start_server {tags {"scripting"}} {
+ set _ $e
+ } {*Attempt to modify a readonly table*}
+
++ test "Try trick readonly table on basic types metatable" {
++ # Run the following scripts for basic types. Either getmetatable()
++ # should return nil or the metatable must be readonly.
++ set scripts {
++ {getmetatable(nil).__index = function() return 1 end}
++ {getmetatable('').__index = function() return 1 end}
++ {getmetatable(123.222).__index = function() return 1 end}
++ {getmetatable(true).__index = function() return 1 end}
++ {getmetatable(function() return 1 end).__index = function() return 1 end}
++ {getmetatable(coroutine.create(function() return 1 end)).__index = function() return 1 end}
++ }
++
++ foreach code $scripts {
++ catch {run_script $code 0} e
++ assert {
++ [string match "*attempt to index a nil value script*" $e] ||
++ [string match "*Attempt to modify a readonly table*" $e]
++ }
++ }
++ }
++
+ test "Test loadfile are not available" {
+ catch {
+ run_script {
+@@ -1049,6 +1070,55 @@ start_server {tags {"scripting"}} {
+ } {*Script attempted to access nonexistent global variable 'print'*}
+ }
+
++# Start a new server to test lua-enable-deprecated-api config
++foreach enabled {no yes} {
++start_server [subst {tags {"scripting external:skip"} overrides {lua-enable-deprecated-api $enabled}}] {
++ test "Test setfenv availability lua-enable-deprecated-api=$enabled" {
++ catch {
++ run_script {
++ local f = function() return 1 end
++ setfenv(f, {})
++ return 0
++ } 0
++ } e
++ if {$enabled} {
++ assert_equal $e 0
++ } else {
++ assert_match {*Script attempted to access nonexistent global variable 'setfenv'*} $e
++ }
++ }
++
++ test "Test getfenv availability lua-enable-deprecated-api=$enabled" {
++ catch {
++ run_script {
++ local f = function() return 1 end
++ getfenv(f)
++ return 0
++ } 0
++ } e
++ if {$enabled} {
++ assert_equal $e 0
++ } else {
++ assert_match {*Script attempted to access nonexistent global variable 'getfenv'*} $e
++ }
++ }
++
++ test "Test newproxy availability lua-enable-deprecated-api=$enabled" {
++ catch {
++ run_script {
++ getmetatable(newproxy(true)).__gc = function() return 1 end
++ return 0
++ } 0
++ } e
++ if {$enabled} {
++ assert_equal $e 0
++ } else {
++ assert_match {*Script attempted to access nonexistent global variable 'newproxy'*} $e
++ }
++ }
++}
++}
++
+ # Start a new server since the last test in this stanza will kill the
+ # instance at all.
+ start_server {tags {"scripting"}} {
+--
+2.25.1
+
@@ -28,6 +28,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://CVE-2025-32023.patch \
file://CVE-2025-48367.patch \
file://CVE-2025-46817.patch \
+ file://CVE-2025-46818.patch \
"
SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"