From patchwork Fri Jan 31 12:50:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 56359 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F97CC02192 for ; Fri, 31 Jan 2025 12:51:31 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.18099.1738327887905474173 for ; Fri, 31 Jan 2025 04:51:28 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4126352c6f=divya.chellam@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50VCiiPO004767 for ; Fri, 31 Jan 2025 12:51:27 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44gf7d0q1j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 31 Jan 2025 12:51:26 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 31 Jan 2025 04:51:24 -0800 From: dchellam To: Subject: [oe][meta-oe][kirkstone][PATCH 1/5] redis: fix CVE-2023-41056 Date: Fri, 31 Jan 2025 12:50:56 +0000 Message-ID: <20250131125100.3348102-1-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Authority-Analysis: v=2.4 cv=TfBstQQh c=1 sm=1 tr=0 ts=679cc74e cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=7UKGVgRVAAAA:8 a=t7CeM3EgAAAA:8 a=hR66z_WBAAAA:8 a=yb-YmlM--txVIeazqBIA:9 a=8Ox4Rr8FuIIqx5qz5MW0:22 a=FdTzh2GWekK77mhwV6Dw:22 a=rIFd7wX85fjrbk78xK_P:22 X-Proofpoint-GUID: TMQlUFpiJZC_DJmxaMLfLUaB0TEvjpl- X-Proofpoint-ORIG-GUID: TMQlUFpiJZC_DJmxaMLfLUaB0TEvjpl- X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-31_04,2025-01-31_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 impostorscore=0 lowpriorityscore=0 bulkscore=0 malwarescore=0 phishscore=0 priorityscore=1501 mlxscore=0 suspectscore=0 spamscore=0 clxscore=1015 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2501310098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 31 Jan 2025 12:51:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/115191 From: Divya Chellam Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15 and 7.2.4. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-41056 Upstream-patch: https://github.com/redis/redis/commit/e351099e1119fb89496be578f5232c61ce300224 Signed-off-by: Divya Chellam --- .../redis/redis-7.0.13/CVE-2023-41056.patch | 63 +++++++++++++++++++ .../recipes-extended/redis/redis_7.0.13.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch new file mode 100644 index 0000000000..036e62c8f0 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch @@ -0,0 +1,63 @@ +From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Sun, 7 Jan 2024 12:32:44 +0200 +Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056) + +#11766 introduced a bug in sdsResize where it could forget to update +the sds type in the sds header and then cause an overflow in sdsalloc. +it looks like the only implication of that is a possible assertion in HLL, +but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer + +CVE: CVE-2023-41056 + +Upstream-Status: Backport [https://github.com/redis/redis/commit/e351099e1119fb89496be578f5232c61ce300224] + +Signed-off-by: Divya Chellam +--- + src/sds.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/src/sds.c b/src/sds.c +index 8e5863a..71490d5 100644 +--- a/src/sds.c ++++ b/src/sds.c +@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) { + * type. */ + int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8)); + size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1; +- int alloc_already_optimal = 0; +- #if defined(USE_JEMALLOC) +- /* je_nallocx returns the expected allocation size for the newlen. +- * We aim to avoid calling realloc() when using Jemalloc if there is no +- * change in the allocation size, as it incurs a cost even if the +- * allocation size stays the same. */ +- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh)); +- #endif +- +- if (use_realloc && !alloc_already_optimal) { +- newsh = s_realloc(sh, newlen); +- if (newsh == NULL) return NULL; +- s = (char*)newsh+oldhdrlen; +- } else if (!alloc_already_optimal) { ++ ++ if (use_realloc) { ++ int alloc_already_optimal = 0; ++ #if defined(USE_JEMALLOC) ++ /* je_nallocx returns the expected allocation size for the newlen. ++ * We aim to avoid calling realloc() when using Jemalloc if there is no ++ * change in the allocation size, as it incurs a cost even if the ++ * allocation size stays the same. */ ++ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh)); ++ #endif ++ if (!alloc_already_optimal) { ++ newsh = s_realloc(sh, newlen); ++ if (newsh == NULL) return NULL; ++ s = (char*)newsh+oldhdrlen; ++ } ++ } else { + newsh = s_malloc(newlen); + if (newsh == NULL) return NULL; + memcpy((char*)newsh+hdrlen, s, len); +-- +2.40.0 + diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index e88ab4ddf5..dc5f9b7a89 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0001-src-Do-not-reset-FINAL_LIBS.patch \ file://GNU_SOURCE-7.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ + file://CVE-2023-41056.patch \ " SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673" From patchwork Fri Jan 31 12:50:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 56360 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FB1BC02196 for ; Fri, 31 Jan 2025 12:51:31 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.18100.1738327889655646872 for ; Fri, 31 Jan 2025 04:51:29 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4126352c6f=divya.chellam@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50VCks53029329 for ; Fri, 31 Jan 2025 12:51:29 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44gf780q34-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 31 Jan 2025 12:51:28 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 31 Jan 2025 04:51:26 -0800 From: dchellam To: Subject: [oe][meta-oe][kirkstone][PATCH 2/5] redis: fix CVE-2023-45145 Date: Fri, 31 Jan 2025 12:50:57 +0000 Message-ID: <20250131125100.3348102-2-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250131125100.3348102-1-divya.chellam@windriver.com> References: <20250131125100.3348102-1-divya.chellam@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Authority-Analysis: v=2.4 cv=JOrBs9Kb c=1 sm=1 tr=0 ts=679cc750 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=xNf9USuDAAAA:8 a=NEAV23lmAAAA:8 a=7UKGVgRVAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=yN_tHXhYjEfibkU2S8cA:9 a=8Ox4Rr8FuIIqx5qz5MW0:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: _I-6QBDaTlv8XWWTdaac2dQGv4Yz9c3B X-Proofpoint-GUID: _I-6QBDaTlv8XWWTdaac2dQGv4Yz9c3B X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-31_04,2025-01-31_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 suspectscore=0 malwarescore=0 mlxscore=0 adultscore=0 spamscore=0 clxscore=1015 phishscore=0 impostorscore=0 priorityscore=1501 mlxlogscore=999 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2501310098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 31 Jan 2025 12:51:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/115192 From: Divya Chellam Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory. Reference: https://security-tracker.debian.org/tracker/CVE-2023-45145 Upstream-patch: https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc Signed-off-by: Divya Chellam --- .../redis/redis-7.0.13/CVE-2023-45145.patch | 72 +++++++++++++++++++ .../redis/redis/CVE-2023-45145.patch | 72 +++++++++++++++++++ .../recipes-extended/redis/redis_6.2.12.bb | 1 + .../recipes-extended/redis/redis_7.0.13.bb | 1 + 4 files changed, 146 insertions(+) create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch new file mode 100644 index 0000000000..aab1bbfeb0 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch @@ -0,0 +1,72 @@ +From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001 +From: Yossi Gottlieb +Date: Wed, 11 Oct 2023 22:45:34 +0300 +Subject: [PATCH] Fix issue of listen before chmod on Unix sockets + (CVE-2023-45145) + +Before this commit, Unix socket setup performed chmod(2) on the socket +file after calling listen(2). Depending on what umask is used, this +could leave the file with the wrong permissions for a short period of +time. As a result, another process could exploit this race condition and +establish a connection that would otherwise not be possible. + +We now make sure the socket permissions are set up prior to calling +listen(2). + +(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42) + +CVE: CVE-2023-45145 + +Upstream-Status: Backport [https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc] + +Signed-off-by: Divya Chellam +--- + src/anet.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/anet.c b/src/anet.c +index 4ea201d..10840fc 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -407,13 +407,16 @@ int anetUnixGenericConnect(char *err, const char *path, int flags) + return s; + } + +-static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) { ++static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) { + if (bind(s,sa,len) == -1) { + anetSetError(err, "bind: %s", strerror(errno)); + close(s); + return ANET_ERR; + } + ++ if (sa->sa_family == AF_LOCAL && perm) ++ chmod(((struct sockaddr_un *) sa)->sun_path, perm); ++ + if (listen(s, backlog) == -1) { + anetSetError(err, "listen: %s", strerror(errno)); + close(s); +@@ -457,7 +460,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl + + if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error; + if (anetSetReuseAddr(err,s) == ANET_ERR) goto error; +- if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR; ++ if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR; + goto end; + } + if (p == NULL) { +@@ -498,10 +501,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog) + memset(&sa,0,sizeof(sa)); + sa.sun_family = AF_LOCAL; + strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1); +- if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR) ++ if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR) + return ANET_ERR; +- if (perm) +- chmod(sa.sun_path, perm); + return s; + } + +-- +2.40.0 + diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch b/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch new file mode 100644 index 0000000000..f132deb83a --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch @@ -0,0 +1,72 @@ +From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001 +From: Yossi Gottlieb +Date: Wed, 11 Oct 2023 22:45:34 +0300 +Subject: [PATCH] Fix issue of listen before chmod on Unix sockets + (CVE-2023-45145) + +Before this commit, Unix socket setup performed chmod(2) on the socket +file after calling listen(2). Depending on what umask is used, this +could leave the file with the wrong permissions for a short period of +time. As a result, another process could exploit this race condition and +establish a connection that would otherwise not be possible. + +We now make sure the socket permissions are set up prior to calling +listen(2). + +(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42) + +CVE: CVE-2023-45145 + +Upstream-Status: Backport [https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc] + +Signed-off-by: Divya Chellam +--- + src/anet.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/anet.c b/src/anet.c +index a121c27..91f6171 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -397,13 +397,16 @@ int anetUnixGenericConnect(char *err, const char *path, int flags) + return s; + } + +-static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) { ++static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) { + if (bind(s,sa,len) == -1) { + anetSetError(err, "bind: %s", strerror(errno)); + close(s); + return ANET_ERR; + } + ++ if (sa->sa_family == AF_LOCAL && perm) ++ chmod(((struct sockaddr_un *) sa)->sun_path, perm); ++ + if (listen(s, backlog) == -1) { + anetSetError(err, "listen: %s", strerror(errno)); + close(s); +@@ -447,7 +450,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl + + if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error; + if (anetSetReuseAddr(err,s) == ANET_ERR) goto error; +- if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR; ++ if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR; + goto end; + } + if (p == NULL) { +@@ -484,10 +487,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog) + memset(&sa,0,sizeof(sa)); + sa.sun_family = AF_LOCAL; + strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1); +- if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR) ++ if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR) + return ANET_ERR; +- if (perm) +- chmod(sa.sun_path, perm); + return s; + } + +-- +2.40.0 + diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb index 3ed6867816..52dcffedb8 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0001-src-Do-not-reset-FINAL_LIBS.patch \ file://GNU_SOURCE.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ + file://CVE-2023-45145.patch \ " SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b" diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index dc5f9b7a89..caccf01f64 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb @@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE-7.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://CVE-2023-41056.patch \ + file://CVE-2023-45145.patch \ " SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673" From patchwork Fri Jan 31 12:50:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 56361 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 372C5C0218F for ; Fri, 31 Jan 2025 12:51:41 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.18101.1738327891388332616 for ; Fri, 31 Jan 2025 04:51:31 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4126352c6f=divya.chellam@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50VBGawD007252 for ; Fri, 31 Jan 2025 12:51:30 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44gf7d0q1q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 31 Jan 2025 12:51:30 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 31 Jan 2025 04:51:27 -0800 From: dchellam To: Subject: [oe][meta-oe][kirkstone][PATCH 3/5] redis: fix CVE-2024-31227 Date: Fri, 31 Jan 2025 12:50:58 +0000 Message-ID: <20250131125100.3348102-3-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250131125100.3348102-1-divya.chellam@windriver.com> References: <20250131125100.3348102-1-divya.chellam@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Authority-Analysis: v=2.4 cv=TfBstQQh c=1 sm=1 tr=0 ts=679cc752 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=xNf9USuDAAAA:8 a=NEAV23lmAAAA:8 a=7UKGVgRVAAAA:8 a=t7CeM3EgAAAA:8 a=hR66z_WBAAAA:8 a=90JeWzdSQmGiGMcYRsAA:9 a=8Ox4Rr8FuIIqx5qz5MW0:22 a=FdTzh2GWekK77mhwV6Dw:22 a=rIFd7wX85fjrbk78xK_P:22 X-Proofpoint-GUID: zdCyNEsLgGaiQgGluCB5dRKaZ4X-pUip X-Proofpoint-ORIG-GUID: zdCyNEsLgGaiQgGluCB5dRKaZ4X-pUip X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-31_04,2025-01-31_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 impostorscore=0 lowpriorityscore=0 bulkscore=0 malwarescore=0 phishscore=0 priorityscore=1501 mlxscore=0 suspectscore=0 spamscore=0 clxscore=1015 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2501310098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 31 Jan 2025 12:51:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/115193 From: Divya Chellam Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Reference: https://security-tracker.debian.org/tracker/CVE-2024-31227 Upstream-patch: https://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a Signed-off-by: Divya Chellam --- .../redis/redis-7.0.13/CVE-2024-31227.patch | 33 +++++++++++++++++++ .../recipes-extended/redis/redis_7.0.13.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31227.patch diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31227.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31227.patch new file mode 100644 index 0000000000..0998fb2bfb --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31227.patch @@ -0,0 +1,33 @@ +From b351d5a3210e61cc3b22ba38a723d6da8f3c298a Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Wed, 2 Oct 2024 20:01:14 +0300 +Subject: [PATCH] Fix ACL SETUSER Read/Write key pattern selector + (CVE-2024-31227) + +The '%' rule must contain one or both of R/W + +CVE: CVE-2024-31227 + +Upstream-Status: Backport [https://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a] + +Signed-off-by: Divya Chellam +--- + src/acl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/acl.c b/src/acl.c +index 6d86093..6b53d90 100644 +--- a/src/acl.c ++++ b/src/acl.c +@@ -1036,7 +1036,7 @@ int ACLSetSelector(aclSelector *selector, const char* op, size_t oplen) { + flags |= ACL_READ_PERMISSION; + } else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) { + flags |= ACL_WRITE_PERMISSION; +- } else if (op[offset] == '~') { ++ } else if (op[offset] == '~' && flags) { + offset++; + break; + } else { +-- +2.40.0 + diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index caccf01f64..6a2a7ce966 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://CVE-2023-41056.patch \ file://CVE-2023-45145.patch \ + file://CVE-2024-31227.patch \ " SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673" From patchwork Fri Jan 31 12:50:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 56363 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41CF2C02195 for ; Fri, 31 Jan 2025 12:51:41 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.18530.1738327893247954391 for ; Fri, 31 Jan 2025 04:51:33 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4126352c6f=divya.chellam@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50V9aNX6012901 for ; Fri, 31 Jan 2025 12:51:32 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44gf780q3b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 31 Jan 2025 12:51:32 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 31 Jan 2025 04:51:29 -0800 From: dchellam To: Subject: [oe][meta-oe][kirkstone][PATCH 4/5] redis: fix CVE-2024-31228 Date: Fri, 31 Jan 2025 12:50:59 +0000 Message-ID: <20250131125100.3348102-4-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250131125100.3348102-1-divya.chellam@windriver.com> References: <20250131125100.3348102-1-divya.chellam@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Authority-Analysis: v=2.4 cv=JOrBs9Kb c=1 sm=1 tr=0 ts=679cc754 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=xNf9USuDAAAA:8 a=NEAV23lmAAAA:8 a=7UKGVgRVAAAA:8 a=t7CeM3EgAAAA:8 a=hR66z_WBAAAA:8 a=6VaAEKUzP7h-Snr28NQA:9 a=8Ox4Rr8FuIIqx5qz5MW0:22 a=FdTzh2GWekK77mhwV6Dw:22 a=rIFd7wX85fjrbk78xK_P:22 X-Proofpoint-ORIG-GUID: 47HMxMyDeh6wo6vuz_E6HR2e6nEHlQ2m X-Proofpoint-GUID: 47HMxMyDeh6wo6vuz_E6HR2e6nEHlQ2m X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-31_04,2025-01-31_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 suspectscore=0 malwarescore=0 mlxscore=0 adultscore=0 spamscore=0 clxscore=1015 phishscore=0 impostorscore=0 priorityscore=1501 mlxlogscore=999 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2501310098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 31 Jan 2025 12:51:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/115194 From: Divya Chellam Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. References: https://security-tracker.debian.org/tracker/CVE-2024-31228 Upstream-patch: https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0 Signed-off-by: Divya Chellam --- .../redis/redis-7.0.13/CVE-2024-31228.patch | 68 +++++++++++++++++++ .../redis/redis/CVE-2024-31228.patch | 68 +++++++++++++++++++ .../recipes-extended/redis/redis_6.2.12.bb | 1 + .../recipes-extended/redis/redis_7.0.13.bb | 1 + 4 files changed, 138 insertions(+) create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch new file mode 100644 index 0000000000..deb9033c60 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch @@ -0,0 +1,68 @@ +From 9317bf64659b33166a943ec03d5d9b954e86afb0 Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Wed, 2 Oct 2024 20:11:01 +0300 +Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228) + +CVE: CVE-2024-31228 + +Upstream-Status: Backport[https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0] + +Signed-off-by: Divya Chellam +--- + src/util.c | 9 ++++++--- + tests/unit/keyspace.tcl | 6 ++++++ + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/util.c b/src/util.c +index 8ce2c5f..3a4c9b0 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -51,8 +51,11 @@ + + /* Glob-style pattern matching. */ + static int stringmatchlen_impl(const char *pattern, int patternLen, +- const char *string, int stringLen, int nocase, int *skipLongerMatches) ++ const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting) + { ++ /* Protection against abusive patterns. */ ++ if (nesting > 1000) return 0; ++ + while(patternLen && stringLen) { + switch(pattern[0]) { + case '*': +@@ -64,7 +67,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, + return 1; /* match */ + while(stringLen) { + if (stringmatchlen_impl(pattern+1, patternLen-1, +- string, stringLen, nocase, skipLongerMatches)) ++ string, stringLen, nocase, skipLongerMatches, nesting+1)) + return 1; /* match */ + if (*skipLongerMatches) + return 0; /* no match */ +@@ -186,7 +189,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, + int stringmatchlen(const char *pattern, int patternLen, + const char *string, int stringLen, int nocase) { + int skipLongerMatches = 0; +- return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches); ++ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0); + } + + int stringmatch(const char *pattern, const char *string, int nocase) { +diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl +index 437f71f..988389f 100644 +--- a/tests/unit/keyspace.tcl ++++ b/tests/unit/keyspace.tcl +@@ -495,4 +495,10 @@ start_server {tags {"keyspace"}} { + r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1 + r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b" + } {} ++ ++ test {Regression for pattern matching very long nested loops} { ++ r flushdb ++ r SET [string repeat "a" 50000] 1 ++ r KEYS [string repeat "*?" 50000] ++ } {} + } +-- +2.40.0 + diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch new file mode 100644 index 0000000000..d86e6c9e72 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch @@ -0,0 +1,68 @@ +From 9317bf64659b33166a943ec03d5d9b954e86afb0 Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Wed, 2 Oct 2024 20:11:01 +0300 +Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228) + +CVE: CVE-2024-31228 + +Upstream-Status: Backport[https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0] + +Signed-off-by: Divya Chellam +--- + src/util.c | 9 ++++++--- + tests/unit/keyspace.tcl | 6 ++++++ + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/util.c b/src/util.c +index e122a26..5763a2b 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -46,8 +46,11 @@ + + /* Glob-style pattern matching. */ + static int stringmatchlen_impl(const char *pattern, int patternLen, +- const char *string, int stringLen, int nocase, int *skipLongerMatches) ++ const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting) + { ++ /* Protection against abusive patterns. */ ++ if (nesting > 1000) return 0; ++ + while(patternLen && stringLen) { + switch(pattern[0]) { + case '*': +@@ -59,7 +62,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, + return 1; /* match */ + while(stringLen) { + if (stringmatchlen_impl(pattern+1, patternLen-1, +- string, stringLen, nocase, skipLongerMatches)) ++ string, stringLen, nocase, skipLongerMatches, nesting+1)) + return 1; /* match */ + if (*skipLongerMatches) + return 0; /* no match */ +@@ -181,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, + int stringmatchlen(const char *pattern, int patternLen, + const char *string, int stringLen, int nocase) { + int skipLongerMatches = 0; +- return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches); ++ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0); + } + + int stringmatch(const char *pattern, const char *string, int nocase) { +diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl +index 92029a7..70bc252 100644 +--- a/tests/unit/keyspace.tcl ++++ b/tests/unit/keyspace.tcl +@@ -485,4 +485,10 @@ start_server {tags {"keyspace"}} { + r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1 + r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b" + } {} ++ ++ test {Regression for pattern matching very long nested loops} { ++ r flushdb ++ r SET [string repeat "a" 50000] 1 ++ r KEYS [string repeat "*?" 50000] ++ } {} + } +-- +2.40.0 + diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb index 52dcffedb8..bea98100a7 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb @@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://CVE-2023-45145.patch \ + file://CVE-2024-31228.patch \ " SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b" diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index 6a2a7ce966..249f002a1b 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb @@ -19,6 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://CVE-2023-41056.patch \ file://CVE-2023-45145.patch \ file://CVE-2024-31227.patch \ + file://CVE-2024-31228.patch \ " SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673" From patchwork Fri Jan 31 12:51:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 56362 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37BD8C02192 for ; Fri, 31 Jan 2025 12:51:41 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.18531.1738327895193426605 for ; Fri, 31 Jan 2025 04:51:35 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4126352c6f=divya.chellam@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50V9W53O018820 for ; Fri, 31 Jan 2025 12:51:34 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44gf7d0q1w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 31 Jan 2025 12:51:34 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 31 Jan 2025 04:51:31 -0800 From: dchellam To: Subject: [oe][meta-oe][kirkstone][PATCH 5/5] redis: fix CVE-2024-31449 Date: Fri, 31 Jan 2025 12:51:00 +0000 Message-ID: <20250131125100.3348102-5-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250131125100.3348102-1-divya.chellam@windriver.com> References: <20250131125100.3348102-1-divya.chellam@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Authority-Analysis: v=2.4 cv=TfBstQQh c=1 sm=1 tr=0 ts=679cc756 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=HCiNrPZc1L8A:10 a=VdSt8ZQiCzkA:10 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=7UKGVgRVAAAA:8 a=t7CeM3EgAAAA:8 a=hR66z_WBAAAA:8 a=mM1_2qmSOAGBbh9chYAA:9 a=8Ox4Rr8FuIIqx5qz5MW0:22 a=FdTzh2GWekK77mhwV6Dw:22 a=rIFd7wX85fjrbk78xK_P:22 X-Proofpoint-GUID: yTKg2YPUg4dhIUp0F9S5ZyT9zNN7VI8u X-Proofpoint-ORIG-GUID: yTKg2YPUg4dhIUp0F9S5ZyT9zNN7VI8u X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-31_04,2025-01-31_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 impostorscore=0 lowpriorityscore=0 bulkscore=0 malwarescore=0 phishscore=0 priorityscore=1501 mlxscore=0 suspectscore=0 spamscore=0 clxscore=1015 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2501310098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 31 Jan 2025 12:51:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/115195 From: Divya Chellam Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-31449 Upstream-patches: https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Signed-off-by: Divya Chellam --- .../redis/redis-7.0.13/CVE-2024-31449.patch | 49 +++++++++++++++++++ .../redis/redis/CVE-2024-31449.patch | 49 +++++++++++++++++++ .../recipes-extended/redis/redis_6.2.12.bb | 1 + .../recipes-extended/redis/redis_7.0.13.bb | 1 + 4 files changed, 100 insertions(+) create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch new file mode 100644 index 0000000000..1e8ef7be2e --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch @@ -0,0 +1,49 @@ +From fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Wed, 2 Oct 2024 19:54:06 +0300 +Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449) + +INT_MIN value must be explicitly checked, and cannot be negated. + +CVE: CVE-2024-31449 + +Upstream-Status: Backport [https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71] + +Signed-off-by: Divya Chellam +--- + deps/lua/src/lua_bit.c | 1 + + tests/unit/scripting.tcl | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c +index 9f83b85..7e43fae 100644 +--- a/deps/lua/src/lua_bit.c ++++ b/deps/lua/src/lua_bit.c +@@ -132,6 +132,7 @@ static int bit_tohex(lua_State *L) + const char *hexdigits = "0123456789abcdef"; + char buf[8]; + int i; ++ if (n == INT32_MIN) n = INT32_MIN+1; + if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; } + if (n > 8) n = 8; + for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; } +diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl +index 4b65131..cdc6dc4 100644 +--- a/tests/unit/scripting.tcl ++++ b/tests/unit/scripting.tcl +@@ -590,6 +590,12 @@ start_server {tags {"scripting"}} { + set e + } {ERR *Attempt to modify a readonly table*} + ++ test {lua bit.tohex bug} { ++ set res [run_script {return bit.tohex(65535, -2147483648)} 0] ++ r ping ++ set res ++ } {0000FFFF} ++ + test {Test an example script DECR_IF_GT} { + set decr_if_gt { + local current +-- +2.40.0 + diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch new file mode 100644 index 0000000000..5004cd5ab6 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch @@ -0,0 +1,49 @@ +From 1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Wed, 2 Oct 2024 19:54:06 +0300 +Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449) + +INT_MIN value must be explicitly checked, and cannot be negated. + +CVE: CVE-2024-31449 + +Upstream-Status: Backport [https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9] + +Signed-off-by: Divya Chellam +--- + deps/lua/src/lua_bit.c | 1 + + tests/unit/scripting.tcl | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c +index 690df7d..a459ca9 100644 +--- a/deps/lua/src/lua_bit.c ++++ b/deps/lua/src/lua_bit.c +@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L) + const char *hexdigits = "0123456789abcdef"; + char buf[8]; + int i; ++ if (n == INT32_MIN) n = INT32_MIN+1; + if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; } + if (n > 8) n = 8; + for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; } +diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl +index 9f5ee77..5e2a7f8 100644 +--- a/tests/unit/scripting.tcl ++++ b/tests/unit/scripting.tcl +@@ -406,6 +406,12 @@ start_server {tags {"scripting"}} { + set e + } {ERR*Attempt to modify a readonly table*} + ++ test {lua bit.tohex bug} { ++ set res [r eval {return bit.tohex(65535, -2147483648)} 0] ++ r ping ++ set res ++ } {0000FFFF} ++ + test {Test an example script DECR_IF_GT} { + set decr_if_gt { + local current +-- +2.40.0 + diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb index bea98100a7..a13dfdbe45 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://CVE-2023-45145.patch \ file://CVE-2024-31228.patch \ + file://CVE-2024-31449.patch \ " SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b" diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index 249f002a1b..fa1716a192 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb @@ -20,6 +20,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://CVE-2023-45145.patch \ file://CVE-2024-31227.patch \ file://CVE-2024-31228.patch \ + file://CVE-2024-31449.patch \ " SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"