From patchwork Thu Oct 16 10:10:14 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 72488
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1DD97CCD183
	for <webhook@archiver.kernel.org>; Thu, 16 Oct 2025 10:10:32 +0000 (UTC)
Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com
 [209.85.214.170])
 by mx.groups.io with SMTP id smtpd.web11.4592.1760609429964241260
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:30 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=VSmw4j+/;
 spf=pass (domain: mvista.com, ip: 209.85.214.170,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pl1-f170.google.com with SMTP id
 d9443c01a7336-290ac2ef203so4462415ad.1
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1760609429; x=1761214229;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=ftnUUMfm/4UipFQidhDWW5MBel6fThZWECZkzEQB9I8=;
        b=VSmw4j+/9z6bMB50XNt6djZ3JqLzSmuhAVq4vwFqFI5aj7cwNrYo4Df64FqwjeNb4h
         UfwjRhFRkN+PO9FlvlR2gARdEf9iFMJ43SjXpFpeSTm/i5UNguTOPhqXFI4iZ+J14jXA
         Z5CK+z1bd2TwK3sCUHoQwjNNdlFuxyIbPq0X0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760609429; x=1761214229;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ftnUUMfm/4UipFQidhDWW5MBel6fThZWECZkzEQB9I8=;
        b=HcFK7eEx8eP4QwbKVx9WRxjcDYje65vfj5JO7BoSpckYeV3cxRPqVCz5IqtNZh/vPy
         XXcoRtlpBeY4xn/RXTynjEqUAnRhDX5msm60vd+Emzs46oNoQ/CBCqizmZjU8GRZKvfw
         oFO4Bd4YThdS+KjCdw9zVS1kzm5h2oyNk7Eg7MpOCrNm06rw2pEa72KanUG6t3PisDcR
         1iXZZzh5jRITT+vT205L8FqIL3xOlFNfqv0nqbd0qBXqoqEP0AvoVJT+bcpzCpeax6ju
         mFBhTtXsamxonmn+KEMyOLOFevjjmBRiU1SrhIB/hz4kdsmxTAOCxkbpCxVggx4n3S4p
         AtNg==
X-Gm-Message-State: AOJu0Ywf/9mbZo4/IrUOLdVDmFR7GJ+jnCOwGbbbXp8IZloux1s2FshX
	3Xp4zEpbUHFtpwd7YznbzJ4hJ6m2ZKt81izUYm0m78cL9pnO4mCP2zVNn/P5SCMdO25B6TN7wTn
	G0MSiyE8=
X-Gm-Gg: ASbGncusJ/20Z2B2sj2uKy+AjajPy7s0B4F178hBzizi2tl2LTcc7DeQgqV5S1tRq+K
	0KPBz7X4d/z2Cd7zAZIO5gbTBBjFbnSQEuxAPslahYM2jeqyVvih+ZI2FPuYejgRBNeMdpwD/RT
	rGVJKg1hdMelrWjsuOy0VxdpibD6i/G/I5qbM886hDssXLxUTplzuVOphj35vUMfippr79g9NKM
	WFkf7SAIbxb+KBZb+XWMkbJJ5THsYe50o9CMJAeV8GwcGYL7KV/Brj0PCCMZFyxl+ySII3te5Cz
	VBKXPb1pQCJv43KS5J+ELlbFSxnPAQ4evH72xGi4knGaDxGHhEDQt5vUmJP2tC4Hjn0xn3fcAUn
	8InFYmnTqIZLvalPsdiFgGdfgG8TtENgza6j6fiMDSIlHVuRBU1m/xyNxeCF7HGvbUNXi+O1SiH
	Eu9cQ2NDczNvzXlUxCiiQkDSTh1w==
X-Google-Smtp-Source: 
 AGHT+IE+esun5Fe5RW/vKbm6kyY9/WFOqA/E7ulpycrK4lL0oCBet72rHZYdG/9Nu8LRZY0r4huBWA==
X-Received: by 2002:a17:903:1a8e:b0:24b:1625:5fa5 with SMTP id
 d9443c01a7336-29027356c0emr376028385ad.11.1760609428929;
        Thu, 16 Oct 2025 03:10:28 -0700 (PDT)
Received: from localhost.localdomain
 ([2401:4900:8fcc:1614:2a1b:7928:3155:7a64])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29099a7cebbsm24617685ad.64.2025.10.16.03.10.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Oct 2025 03:10:28 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-devel@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [oe][meta-oe][kirkstone][PATCH 1/7] redis: Fix CVE-2025-27151
Date: Thu, 16 Oct 2025 15:40:14 +0530
Message-Id: <20251016101020.279084-1-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 16 Oct 2025 10:10:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120729

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../redis/redis-7.0.13/CVE-2025-27151.patch   | 32 +++++++++++++++++++
 .../recipes-extended/redis/redis_7.0.13.bb    |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-27151.patch

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-27151.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-27151.patch
new file mode 100644
index 0000000000..c07243a05c
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-27151.patch
@@ -0,0 +1,32 @@
+From d0eeee6e31f0fefb510007a8cfdf5dce729a8be9 Mon Sep 17 00:00:00 2001
+From: YaacovHazan <yaacov.hazan@redis.com>
+Date: Tue, 27 May 2025 10:23:27 +0300
+Subject: [PATCH] Check length of AOF file name in redis-check-aof
+ (CVE-2025-27151)
+
+Ensure that the length of the input file name does not exceed PATH_MAX
+
+Upstream-Status: Backport [https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9]
+CVE: CVE-2025-27151
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/redis-check-aof.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/redis-check-aof.c b/src/redis-check-aof.c
+index e28126df603..5b3ee2a48c5 100644
+--- a/src/redis-check-aof.c
++++ b/src/redis-check-aof.c
+@@ -547,6 +547,12 @@ int redis_check_aof_main(int argc, char **argv) {
+         goto invalid_args;
+     }
+ 
++    /* Check if filepath is longer than PATH_MAX */
++    if (strlen(filepath) > PATH_MAX) {
++        printf("Error: filepath is too long (exceeds PATH_MAX)\n");
++        goto invalid_args;
++    }
++
+     /* In the glibc implementation dirname may modify their argument. */
+     memcpy(temp_filepath, filepath, strlen(filepath) + 1);
+     dirpath = dirname(temp_filepath);
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index f22d65462a..22163d9e74 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2024-46981.patch \
            file://CVE-2024-51741.patch \
            file://CVE-2025-21605.patch \
+           file://CVE-2025-27151.patch \
            "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
 

From patchwork Thu Oct 16 10:10:15 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 72489
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 02165CCD19A
	for <webhook@archiver.kernel.org>; Thu, 16 Oct 2025 10:10:42 +0000 (UTC)
Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com
 [209.85.215.180])
 by mx.groups.io with SMTP id smtpd.web10.4460.1760609434183872195
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:34 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=gDDJLOoG;
 spf=pass (domain: mvista.com, ip: 209.85.215.180,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pg1-f180.google.com with SMTP id
 41be03b00d2f7-b6a225b7e9eso354365a12.0
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1760609433; x=1761214233;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/A4odrhFzVnMA6Iy6I7R/iejPnF5Oy0LDGyOytYc4SE=;
        b=gDDJLOoGv1A5vH9QiRtC/A91NntMe2twYWvQ9Ubvm9XdVyxY3nUMYXAkwGRjiqVQVc
         tkB+6XxgHTQjsBiPM9l3gn7eT8oKYaPB5P/ixVwIlcz0mEPtrN3qSlA+MO69qz2rGE3d
         e9smbN2KG+ah7HyDOc3v6u+BGjCIOX291BKiI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760609433; x=1761214233;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=/A4odrhFzVnMA6Iy6I7R/iejPnF5Oy0LDGyOytYc4SE=;
        b=i1GYBBtPeKu6+pGNpFazvk9siIhP2YpoCnnSMHjaAoJIfAsGrP4XqNHW8qIUv7cuDT
         e+cetgW9UB6Jv5QJA3B6z1B5z8f+uVlTgTLuDpvsvmJ+LUYf2QNNLqmkY7JEr+J46W0f
         9QGRkgNiFGNFxc03Gk9DRQuRWiUdI5ScrDTwYkc0ffVQgk7tBmq7gz5cgl2VrUQ55kvt
         fa6w53w/P1q5yPp7hpkUdmMEWR0vazf4+gVEocTrr9xKrkmP2eKv3zUrXCiML8VD4N0R
         Bh7dOQyeYrOxB8NVVZA/vSfGr5P/aWGYx8FcmjnQMSSaUos0WM5cuzkEQcWD2+g+CQ8j
         EOng==
X-Gm-Message-State: AOJu0YwQWlA54ft6WnlwwWg4MzBau9H+lixFk1Sho1KJqGWMwkql5eh7
	X9CW0TV3JsFj7YleuQAkh4kel4xGgvqm2cihhtOXOJfSDAEAVbMOeApfafFSW2NDzsaXdGlzMOB
	1s77XCCc=
X-Gm-Gg: ASbGnctmb5JjoZVPjuEmghwEZ5sMZeq6j6QCQbt7RuP+8F3uORk+v2obFv3eckeYjfp
	kFkwL2AbExqs3/knzOdfCa5J3qf0msUBJHP5mQavpF2FZc8pvR8xGLo+SuPISE0oG6Ry/wrfyM4
	kqgS3p10jyz5JRtyvVPat6scMSvKnFl6X0oXr8FsXvt+IemnePdMkOEbgPxKvy1q8XwE+xk0h8t
	/9qLkzeA/BnC1DTDOaYIKvwMd08b7RHKy5rt4ZPFTTzC35Fgb7joJcY2D+gQOmfOTjXKh8oPOxp
	nCOMIy+GKjrrdrPEhdOTNYhUyKkVpAlrz7mwNh+talukD0jdJXBen5ef1ydSqakG4yEf+RTQHFn
	Tw378FZCqYSfVMkZ8hx2V1cgqbiG68I0mrjz0qjs35L6YB7zlrWHn/YDROWGiCov3NIciePJqGw
	x97DVoDwXbxLGf96Y=
X-Google-Smtp-Source: 
 AGHT+IEn16Enb1aRiVjLWqV/qdpFzSNLNePL7cKkEIbWTQ007ee3+1qWEWL+breIA9/i93ZqinxoYg==
X-Received: by 2002:a17:903:8cc:b0:27d:69cc:990 with SMTP id
 d9443c01a7336-29027402f43mr432500165ad.49.1760609432888;
        Thu, 16 Oct 2025 03:10:32 -0700 (PDT)
Received: from localhost.localdomain
 ([2401:4900:8fcc:1614:2a1b:7928:3155:7a64])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29099a7cebbsm24617685ad.64.2025.10.16.03.10.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Oct 2025 03:10:32 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-devel@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [oe][meta-oe][kirkstone][PATCH 2/7] redis: Fix CVE-2025-32023
Date: Thu, 16 Oct 2025 15:40:15 +0530
Message-Id: <20251016101020.279084-2-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20251016101020.279084-1-vanusuri@mvista.com>
References: <20251016101020.279084-1-vanusuri@mvista.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 16 Oct 2025 10:10:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120730

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://github.com/redis/redis/commit/f35b72dd1735f381337a2eb078083450cb98e237

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../redis/redis-7.0.13/CVE-2025-32023.patch   | 215 ++++++++++++++++++
 .../recipes-extended/redis/redis_7.0.13.bb    |   1 +
 2 files changed, 216 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-32023.patch

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-32023.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-32023.patch
new file mode 100644
index 0000000000..41244ffe0a
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-32023.patch
@@ -0,0 +1,215 @@
+From f35b72dd1735f381337a2eb078083450cb98e237 Mon Sep 17 00:00:00 2001
+From: "debing.sun" <debing.sun@redis.com>
+Date: Wed, 7 May 2025 18:25:06 +0800
+Subject: [PATCH] Fix out of bounds write in hyperloglog commands
+ (CVE-2025-32023)
+
+Co-authored-by: oranagra <oran@redislabs.com>
+
+Upstream-Status: Backport [https://github.com/redis/redis/commit/f35b72dd1735f381337a2eb078083450cb98e237]
+CVE: CVE-2025-32023
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/hyperloglog.c          | 47 +++++++++++++++++++++++++++++++----
+ tests/unit/hyperloglog.tcl | 51 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 93 insertions(+), 5 deletions(-)
+
+diff --git a/src/hyperloglog.c b/src/hyperloglog.c
+index 1a74f479377..ca592a08e6d 100644
+--- a/src/hyperloglog.c
++++ b/src/hyperloglog.c
+@@ -587,6 +587,7 @@ int hllSparseToDense(robj *o) {
+     struct hllhdr *hdr, *oldhdr = (struct hllhdr*)sparse;
+     int idx = 0, runlen, regval;
+     uint8_t *p = (uint8_t*)sparse, *end = p+sdslen(sparse);
++    int valid = 1;
+ 
+     /* If the representation is already the right one return ASAP. */
+     hdr = (struct hllhdr*) sparse;
+@@ -606,16 +607,27 @@ int hllSparseToDense(robj *o) {
+     while(p < end) {
+         if (HLL_SPARSE_IS_ZERO(p)) {
+             runlen = HLL_SPARSE_ZERO_LEN(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             p++;
+         } else if (HLL_SPARSE_IS_XZERO(p)) {
+             runlen = HLL_SPARSE_XZERO_LEN(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             p += 2;
+         } else {
+             runlen = HLL_SPARSE_VAL_LEN(p);
+             regval = HLL_SPARSE_VAL_VALUE(p);
+-            if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             while(runlen--) {
+                 HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
+                 idx++;
+@@ -626,7 +638,7 @@ int hllSparseToDense(robj *o) {
+ 
+     /* If the sparse representation was valid, we expect to find idx
+      * set to HLL_REGISTERS. */
+-    if (idx != HLL_REGISTERS) {
++    if (!valid || idx != HLL_REGISTERS) {
+         sdsfree(dense);
+         return C_ERR;
+     }
+@@ -923,27 +935,40 @@ int hllSparseAdd(robj *o, unsigned char *ele, size_t elesize) {
+ void hllSparseRegHisto(uint8_t *sparse, int sparselen, int *invalid, int* reghisto) {
+     int idx = 0, runlen, regval;
+     uint8_t *end = sparse+sparselen, *p = sparse;
++    int valid = 1;
+ 
+     while(p < end) {
+         if (HLL_SPARSE_IS_ZERO(p)) {
+             runlen = HLL_SPARSE_ZERO_LEN(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             reghisto[0] += runlen;
+             p++;
+         } else if (HLL_SPARSE_IS_XZERO(p)) {
+             runlen = HLL_SPARSE_XZERO_LEN(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             reghisto[0] += runlen;
+             p += 2;
+         } else {
+             runlen = HLL_SPARSE_VAL_LEN(p);
+             regval = HLL_SPARSE_VAL_VALUE(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             reghisto[regval] += runlen;
+             p++;
+         }
+     }
+-    if (idx != HLL_REGISTERS && invalid) *invalid = 1;
++    if ((!valid || idx != HLL_REGISTERS) && invalid) *invalid = 1;
+ }
+ 
+ /* ========================= HyperLogLog Count ==============================
+@@ -1091,22 +1116,34 @@ int hllMerge(uint8_t *max, robj *hll) {
+     } else {
+         uint8_t *p = hll->ptr, *end = p + sdslen(hll->ptr);
+         long runlen, regval;
++        int valid = 1;
+ 
+         p += HLL_HDR_SIZE;
+         i = 0;
+         while(p < end) {
+             if (HLL_SPARSE_IS_ZERO(p)) {
+                 runlen = HLL_SPARSE_ZERO_LEN(p);
++                if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
++                    valid = 0;
++                    break;
++                }
+                 i += runlen;
+                 p++;
+             } else if (HLL_SPARSE_IS_XZERO(p)) {
+                 runlen = HLL_SPARSE_XZERO_LEN(p);
++                if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
++                    valid = 0;
++                    break;
++                }
+                 i += runlen;
+                 p += 2;
+             } else {
+                 runlen = HLL_SPARSE_VAL_LEN(p);
+                 regval = HLL_SPARSE_VAL_VALUE(p);
+-                if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */
++                if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
++                    valid = 0;
++                    break;
++                }
+                 while(runlen--) {
+                     if (regval > max[i]) max[i] = regval;
+                     i++;
+@@ -1114,7 +1151,7 @@ int hllMerge(uint8_t *max, robj *hll) {
+                 p++;
+             }
+         }
+-        if (i != HLL_REGISTERS) return C_ERR;
++        if (!valid || i != HLL_REGISTERS) return C_ERR;
+     }
+     return C_OK;
+ }
+diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl
+index ee437189fb8..bc90eb210a9 100644
+--- a/tests/unit/hyperloglog.tcl
++++ b/tests/unit/hyperloglog.tcl
+@@ -137,6 +137,57 @@ start_server {tags {"hll"}} {
+         set e
+     } {*WRONGTYPE*}
+ 
++    test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with XZERO opcode} {
++        r del hll
++        
++        # Create a sparse-encoded HyperLogLog header
++        set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
++
++        # Create an XZERO opcode with the maximum run length of 16384(2^14)
++        set runlen [expr 16384 - 1]
++        set chunk [binary format cc [expr {0b01000000 | ($runlen >> 8)}] [expr {$runlen & 0xff}]]
++        # Fill the HLL with more than 131072(2^17) XZERO opcodes to make the total
++        # run length exceed 4GB, will cause an integer overflow.
++        set repeat [expr 131072 + 1000]
++        for {set i 0} {$i < $repeat} {incr i} {
++            append pl $chunk
++        }
++
++        # Create a VAL opcode with a value that will cause out-of-bounds.
++        append pl [binary format c 0b11111111]
++        r set hll $pl
++
++        # This should not overflow and out-of-bounds.
++        assert_error {*INVALIDOBJ*} {r pfcount hll hll}
++        assert_error {*INVALIDOBJ*} {r pfdebug getreg hll}
++        r ping
++    }
++
++    test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with ZERO opcode} {
++        r del hll
++        
++        # Create a sparse-encoded HyperLogLog header
++        set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
++
++        # # Create an ZERO opcode with the maximum run length of 64(2^6)
++        set chunk [binary format c [expr {0b00000000 | 0x3f}]]
++        # Fill the HLL with more than 33554432(2^17) ZERO opcodes to make the total
++        # run length exceed 4GB, will cause an integer overflow.
++        set repeat [expr 33554432 + 1000]
++        for {set i 0} {$i < $repeat} {incr i} {
++            append pl $chunk
++        }
++
++        # Create a VAL opcode with a value that will cause out-of-bounds.
++        append pl [binary format c 0b11111111]
++        r set hll $pl
++
++        # This should not overflow and out-of-bounds.
++        assert_error {*INVALIDOBJ*} {r pfcount hll hll}
++        assert_error {*INVALIDOBJ*} {r pfdebug getreg hll}
++        r ping
++    }
++
+     test {Corrupted dense HyperLogLogs are detected: Wrong length} {
+         r del hll
+         r pfadd hll a b c
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index 22163d9e74..1c45784b6e 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2024-51741.patch \
            file://CVE-2025-21605.patch \
            file://CVE-2025-27151.patch \
+           file://CVE-2025-32023.patch \
            "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
 

From patchwork Thu Oct 16 10:10:16 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 72492
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 14A97CCD19E
	for <webhook@archiver.kernel.org>; Thu, 16 Oct 2025 10:10:42 +0000 (UTC)
Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com
 [209.85.215.172])
 by mx.groups.io with SMTP id smtpd.web11.4595.1760609436517198768
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=DpQnKsdF;
 spf=pass (domain: mvista.com, ip: 209.85.215.172,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pg1-f172.google.com with SMTP id
 41be03b00d2f7-b679450ecb6so410909a12.2
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1760609435; x=1761214235;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=etaKVOOVHSTM6bOEfPIe3umSVTN7gd2frbtmNPy5xbY=;
        b=DpQnKsdFkYz76mh48R2f7SP732rsEyJgTdgFbKdriGT3LWVqsUKjluCvXVLBNMoA9y
         V4vQzgFoacOAoVClmLUvNxghMtO9fJaQcZrW15rvm7mN6CHVnnsUGXcXXigIz0jFIjLB
         c55DImecwP5KGJGghVSzAC2Ivk63JV7FhEdeQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760609435; x=1761214235;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=etaKVOOVHSTM6bOEfPIe3umSVTN7gd2frbtmNPy5xbY=;
        b=sHHBXQgdH02UDdpX9nb8zMGKKluZxC4MeqUFHgV/mBpkCjANWiFNZZVJu6tFLJPeVZ
         3O2Fr45/Vo+GjD47YdWPpVAbhtTxHmqDgt3MKn4koW6ZhDsUkOIGdp4RaIHI1qOpSzt+
         SCp7MNdUxNnuDrsbzxGfLfp8RywE+NUu5MyvI67A1R4H/l5CAJSCVzcdeNN0gKM2E7qy
         0yFYrbZLVr1BS8cL9OnGlQgziOslcr/sx/JMn4CfFiuns1ZYGQhXyatciWp54VnjB+lI
         H2vS++Pw3kUNIEGfdnQma3hbALjxqa8+cw82EXLbmHrLkt8SReNHqpiTwXwM/h9aCiXj
         1Nmw==
X-Gm-Message-State: AOJu0Yw1esdgWUaSHSxvgHJwzqYTUBCELUXb/Rptq/0dgNQLdoBBsv5P
	02ZeOG4I39Nx28OWjeiJOm6TrOxQtmC9YR9NgyaP9qtG+VbOa5J0cm6z2pfP0Fw0hfXT8kaFkzy
	1m6bOox8=
X-Gm-Gg: ASbGncuvQKHPD8xqG2nmUZxnZgahe2s6JnnvCggDT4+kAO2MFJ0wtpI87b3wdt+gTEP
	K50clnqY3plBXLjsWhTKaJG2NHsORIWjp6CstheMOLZoun45mdacW3wgQT4nxTWPKoIxnvX8AY9
	zJqKoteVjZBwzX3e5XX3Qt9u3CfUhA5sMa9OE9GyltnrveOrPcOHJSbsfIUGK/v3Jrv7uq6kBIB
	gJFNojuhO9oF97IuqlHIM+ns2G3XCu7qSoiuqx9pFIgP0xvbLNRf25tlapSMBnRcxZciyOddrNG
	fWnVxLavmfnxBNcvtPkMbCrve8va4KU2RQLX1vTy2UbUeLvXDwQwJfeD73ubyi1p6+Q5hKtFId0
	vMXOli3/jjEYo0g6qaRskDBTk2YnxWTW65AdSdKXWsXz3AODq+K1MQxDqgWCUkvJAB8YmDpxQXW
	db80SFJZDBR4wmPwc=
X-Google-Smtp-Source: 
 AGHT+IHO4lknZGaOalEeH3ttfYNo4WmGQY5eLyFI3qOW1HPaydqn+TCDK99f5EfYgx9eHmlV6Zo7Ug==
X-Received: by 2002:a17:902:f60d:b0:26a:b9b4:8342 with SMTP id
 d9443c01a7336-2902726259dmr374089925ad.25.1760609435257;
        Thu, 16 Oct 2025 03:10:35 -0700 (PDT)
Received: from localhost.localdomain
 ([2401:4900:8fcc:1614:2a1b:7928:3155:7a64])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29099a7cebbsm24617685ad.64.2025.10.16.03.10.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Oct 2025 03:10:34 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-devel@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [oe][meta-oe][kirkstone][PATCH 3/7] redis: Fix CVE-2025-48367
Date: Thu, 16 Oct 2025 15:40:16 +0530
Message-Id: <20251016101020.279084-3-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20251016101020.279084-1-vanusuri@mvista.com>
References: <20251016101020.279084-1-vanusuri@mvista.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 16 Oct 2025 10:10:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120731

From: Vijay Anusuri <vanusuri@mvista.com>

import patch from debian to fix
 CVE-2025-48367

Upstream-Status: Backport [import from debian redis_7.0.15-1~deb12u6.debian.tar.xz
Upstream commit
https://github.com/redis/redis/commit/0fe67435935cc5724ff6eb9c4ca4120c58a15765]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../redis/redis-7.0.13/CVE-2025-48367.patch   | 111 ++++++++++++++++++
 .../recipes-extended/redis/redis_7.0.13.bb    |   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-48367.patch

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-48367.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-48367.patch
new file mode 100644
index 0000000000..0084eaa04a
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-48367.patch
@@ -0,0 +1,111 @@
+From 0fe67435935cc5724ff6eb9c4ca4120c58a15765 Mon Sep 17 00:00:00 2001
+From: Ozan Tezcan <ozantezcan@gmail.com>
+Date: Wed, 14 May 2025 11:02:30 +0300
+Subject: [PATCH] Retry accept() even if accepted connection reports an error
+ (CVE-2025-48367)
+
+In case of accept4() returns an error, we should check errno value and
+decide if we should retry accept4() without waiting next event loop iteration.
+
+Upstream-Status: Backport [import from debian redis_7.0.15-1~deb12u6.debian.tar.xz
+Upstream commit
+https://github.com/redis/redis/commit/0fe67435935cc5724ff6eb9c4ca4120c58a15765]
+CVE: CVE-2025-48367
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/anet.c       | 24 ++++++++++++++++++++++++
+ src/anet.h       |  1 +
+ src/cluster.c    |  2 ++
+ src/networking.c |  6 ++++++
+ 4 files changed, 33 insertions(+)
+
+diff --git a/src/anet.c b/src/anet.c
+index 10840fc..a38ab1b 100644
+--- a/src/anet.c
++++ b/src/anet.c
+@@ -705,3 +705,27 @@ int anetSetSockMarkId(char *err, int fd, uint32_t id) {
+     return ANET_OK;
+ #endif
+ }
++
++/* This function must be called after accept4() fails. It returns 1 if 'err'
++ * indicates accepted connection faced an error, and it's okay to continue
++ * accepting next connection by calling accept4() again. Other errors either
++ * indicate programming errors, e.g. calling accept() on a closed fd or indicate
++ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been
++ * reached. In the latter case, caller might wait until resources are available.
++ * See accept4() documentation for details. */
++int anetAcceptFailureNeedsRetry(int err) {
++    if (err == ECONNABORTED)
++	return 1;
++
++#if defined(__linux__)
++    /* For details, see 'Error Handling' section on
++     * https://man7.org/linux/man-pages/man2/accept.2.html */
++    if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT ||
++	err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH ||
++	err == EOPNOTSUPP || err == ENETUNREACH)
++    {
++	return 1;
++    }
++#endif
++    return 0;
++}
+diff --git a/src/anet.h b/src/anet.h
+index ff86e20..864f756 100644
+--- a/src/anet.h
++++ b/src/anet.h
+@@ -74,5 +74,6 @@ int anetFormatAddr(char *fmt, size_t fmt_len, char *ip, int port);
+ int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type);
+ int anetPipe(int fds[2], int read_flags, int write_flags);
+ int anetSetSockMarkId(char *err, int fd, uint32_t id);
++int anetAcceptFailureNeedsRetry(int err);
+ 
+ #endif
+diff --git a/src/cluster.c b/src/cluster.c
+index 70ede5c..cb37160 100644
+--- a/src/cluster.c
++++ b/src/cluster.c
+@@ -879,6 +879,8 @@ void clusterAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
+     while(max--) {
+         cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
+         if (cfd == ANET_ERR) {
++            if (anetAcceptFailureNeedsRetry(errno))
++                continue;
+             if (errno != EWOULDBLOCK)
+                 serverLog(LL_VERBOSE,
+                     "Error accepting cluster node: %s", server.neterr);
+diff --git a/src/networking.c b/src/networking.c
+index 386773e..0f9b7bf 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -1366,6 +1366,8 @@ void acceptTcpHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
+     while(max--) {
+         cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
+         if (cfd == ANET_ERR) {
++            if (anetAcceptFailureNeedsRetry(errno))
++                continue;
+             if (errno != EWOULDBLOCK)
+                 serverLog(LL_WARNING,
+                     "Accepting client connection: %s", server.neterr);
+@@ -1386,6 +1388,8 @@ void acceptTLSHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
+     while(max--) {
+         cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
+         if (cfd == ANET_ERR) {
++            if (anetAcceptFailureNeedsRetry(errno))
++                continue;
+             if (errno != EWOULDBLOCK)
+                 serverLog(LL_WARNING,
+                     "Accepting client connection: %s", server.neterr);
+@@ -1405,6 +1409,8 @@ void acceptUnixHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
+     while(max--) {
+         cfd = anetUnixAccept(server.neterr, fd);
+         if (cfd == ANET_ERR) {
++            if (anetAcceptFailureNeedsRetry(errno))
++                continue;
+             if (errno != EWOULDBLOCK)
+                 serverLog(LL_WARNING,
+                     "Accepting client connection: %s", server.neterr);
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index 1c45784b6e..9e4b158b7a 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2025-21605.patch \
            file://CVE-2025-27151.patch \
            file://CVE-2025-32023.patch \
+           file://CVE-2025-48367.patch \
            "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
 

From patchwork Thu Oct 16 10:10:17 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 72491
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 02129CCD194
	for <webhook@archiver.kernel.org>; Thu, 16 Oct 2025 10:10:42 +0000 (UTC)
Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com
 [209.85.215.170])
 by mx.groups.io with SMTP id smtpd.web11.4597.1760609438529497966
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=buon0kt+;
 spf=pass (domain: mvista.com, ip: 209.85.215.170,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pg1-f170.google.com with SMTP id
 41be03b00d2f7-b608df6d2a0so449192a12.1
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1760609437; x=1761214237;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=i9jKo5OeUSAPOx/AVd5tGNd4hbE3hrwLvUcyxvdoKh0=;
        b=buon0kt+fnt7/Do1buZm8YNLokCs2jt1BVbUme/SvcRgki6W7lHwU+jpW4MCwZIFrY
         9F1QlvoL1uYrQTU9Df2wVbWdpyYebMuBQb75Uy/DjSWQS6L2tXj2RBj79qp1TNGRUulV
         0z52GoQ5/WdLI147RzfHKQDTehYRHZJCjOiuo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760609437; x=1761214237;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=i9jKo5OeUSAPOx/AVd5tGNd4hbE3hrwLvUcyxvdoKh0=;
        b=PK3onLlwN3r/YSSXEoYNQZvYxr82IVCdvko/wEKjkpBj/PkM+vUORAh2+nKtd6hsdg
         1F22Icps2lD0VVttw7szV0f+F6gQdc/XP9vK68HeWhWcSyZ5guhF50gduTOHHU+U76Mi
         6Cp1l2AIj+8OngtIZYkliU5fXgayuQzJ7U5VvWQNw1cfazyAodQ2/sXSiqGK7tfHWpXN
         VT5RlNlRAlgj1dtSe32/nBNGtIAq1gHQxbPoKcsTJ+adh0rklFVTJZDKpKPe5U6R7Wuy
         P3AqZAPAt8XyR5ZAqWlORen7CFam4P7VdvuxjWLrdOdv9pvseWJIcp1QJ7xhYHKW5KNt
         0J1g==
X-Gm-Message-State: AOJu0YxwrZBMhEeG9IQC1JIlYS1cckczVQqT6E+EdrDBN6eBS0h7VraJ
	9rO4Tc+sicQNSjE9zjZo2rN9jyKNhimuwJdQIG7OSZ4gSeXKNmygwnZvVMjNMOVCRE6uQqPIv1E
	MQ3dD+Vs=
X-Gm-Gg: ASbGncvx9Kblefx6LRk+w7e6dbzq/iCvd2a8OV+hU0b4Xr6zf8CG4VdRvYNe7iW7C6S
	IFHv3XfQjPGwhioQYIH16eNKMDMQBU7qZ7mKdn3gvHjSZDbCC32j/q9kG6/UqCqf4Z2HVib+YvT
	/NZiZ0qYzzyiPvyWyz5nLjOfkFb8/IUdcXluc2RRc8JUtvrjbdJcTyiQ/1kNfjHxlp7Z9r72+3o
	y8fNmn/J9jB+c4Z9bZ5VZyz4RGd9fxesJVr39eqYS2sCa/PEFIYZeDsEQ2TYF8rKnrLO5ms8Qga
	qW7BxZ6UWs2FCj8t08D5vAzFglk80uJIGUy8XGaz+I1eIX9n+j3HQuYKWo1QBykWT4iJsvcrsqo
	1AZdf83AgsI2VQNlIw72ibvotRMw5s6MinUKz4LoHVCiMmGOPs9n0WYl02C3F5JCwVAik0qlAXg
	r+JEwhGTxgTWsfgQk=
X-Google-Smtp-Source: 
 AGHT+IHvSEH5ir/Dcuk7M/FeVte67a2arwTDLrpAeetwUMufctfMjpWvLk7PccNaQG1HbsfRvY61ZA==
X-Received: by 2002:a17:903:2d1:b0:277:3488:787e with SMTP id
 d9443c01a7336-29027356933mr375303305ad.12.1760609437520;
        Thu, 16 Oct 2025 03:10:37 -0700 (PDT)
Received: from localhost.localdomain
 ([2401:4900:8fcc:1614:2a1b:7928:3155:7a64])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29099a7cebbsm24617685ad.64.2025.10.16.03.10.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Oct 2025 03:10:36 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-devel@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [oe][meta-oe][kirkstone][PATCH 4/7] redis: Fix CVE-2025-46817
Date: Thu, 16 Oct 2025 15:40:17 +0530
Message-Id: <20251016101020.279084-4-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20251016101020.279084-1-vanusuri@mvista.com>
References: <20251016101020.279084-1-vanusuri@mvista.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 16 Oct 2025 10:10:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120732

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://github.com/redis/redis/commit/fc282edb61b56e7fe1e6bacf9400252145852fdc

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../redis/redis-7.0.13/CVE-2025-46817.patch   | 101 ++++++++++++++++++
 .../recipes-extended/redis/redis_7.0.13.bb    |   1 +
 2 files changed, 102 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46817.patch

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46817.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46817.patch
new file mode 100644
index 0000000000..97b722b03e
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46817.patch
@@ -0,0 +1,101 @@
+From fc282edb61b56e7fe1e6bacf9400252145852fdc Mon Sep 17 00:00:00 2001
+From: Ozan Tezcan <ozantezcan@gmail.com>
+Date: Mon, 23 Jun 2025 13:33:00 +0300
+Subject: [PATCH] Lua script may lead to integer overflow and potential RCE
+ (CVE-2025-46817)
+
+Upstream-Status: Backport [https://github.com/redis/redis/commit/fc282edb61b56e7fe1e6bacf9400252145852fdc]
+CVE: CVE-2025-46817
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ deps/lua/src/lbaselib.c  |  7 ++++---
+ deps/lua/src/ltable.c    |  3 +--
+ tests/unit/scripting.tcl | 39 +++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 5 deletions(-)
+
+diff --git a/deps/lua/src/lbaselib.c b/deps/lua/src/lbaselib.c
+index 2ab550bd48d..26172d15b40 100644
+--- a/deps/lua/src/lbaselib.c
++++ b/deps/lua/src/lbaselib.c
+@@ -340,13 +340,14 @@ static int luaB_assert (lua_State *L) {
+ 
+ 
+ static int luaB_unpack (lua_State *L) {
+-  int i, e, n;
++  int i, e;
++  unsigned int n;
+   luaL_checktype(L, 1, LUA_TTABLE);
+   i = luaL_optint(L, 2, 1);
+   e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1));
+   if (i > e) return 0;  /* empty range */
+-  n = e - i + 1;  /* number of elements */
+-  if (n <= 0 || !lua_checkstack(L, n))  /* n <= 0 means arith. overflow */
++  n = (unsigned int)e - (unsigned int)i;  /* number of elements minus 1 */
++  if (n >= INT_MAX || !lua_checkstack(L, ++n))
+     return luaL_error(L, "too many results to unpack");
+   lua_rawgeti(L, 1, i);  /* push arg[i] (avoiding overflow problems) */
+   while (i++ < e)  /* push arg[i + 1...e] */
+diff --git a/deps/lua/src/ltable.c b/deps/lua/src/ltable.c
+index f75fe19fe39..55575a8ace9 100644
+--- a/deps/lua/src/ltable.c
++++ b/deps/lua/src/ltable.c
+@@ -434,8 +434,7 @@ static TValue *newkey (lua_State *L, Table *t, const TValue *key) {
+ ** search function for integers
+ */
+ const TValue *luaH_getnum (Table *t, int key) {
+-  /* (1 <= key && key <= t->sizearray) */
+-  if (cast(unsigned int, key-1) < cast(unsigned int, t->sizearray))
++  if (1 <= key && key <= t->sizearray)
+     return &t->array[key-1];
+   else {
+     lua_Number nk = cast_num(key);
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 333cc2692de..d45c63ceec3 100644
+--- a/tests/unit/scripting.tcl
++++ b/tests/unit/scripting.tcl
+@@ -315,6 +315,45 @@ start_server {tags {"scripting"}} {
+         set e
+     } {*against a key*}
+ 
++    test {EVAL - Test table unpack with invalid indexes} {
++        catch {run_script { return {unpack({1,2,3}, -2, 2147483647)} } 0} e
++        assert_match {*too many results to unpack*} $e
++        catch {run_script { return {unpack({1,2,3}, 0, 2147483647)} } 0} e
++        assert_match {*too many results to unpack*} $e
++        catch {run_script { return {unpack({1,2,3}, -2147483648, -2)} } 0} e
++        assert_match {*too many results to unpack*} $e
++        set res [run_script { return {unpack({1,2,3}, -1, -2)} } 0]
++        assert_match {} $res
++        set res [run_script { return {unpack({1,2,3}, 1, -1)} } 0]
++        assert_match {} $res
++
++        # unpack with range -1 to 5, verify nil indexes
++        set res [run_script {
++             local function unpack_to_list(t, i, j)
++               local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)}
++               for i = 1, n do v[i] = v[i] or '_NIL_' end
++               v.n = n
++               return v
++             end
++
++            return unpack_to_list({1,2,3}, -1, 5)
++        } 0]
++        assert_match {_NIL_ _NIL_ 1 2 3 _NIL_ _NIL_} $res
++
++        # unpack with negative range, verify nil indexes
++        set res [run_script {
++             local function unpack_to_list(t, i, j)
++               local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)}
++               for i = 1, n do v[i] = v[i] or '_NIL_' end
++               v.n = n
++               return v
++             end
++
++            return unpack_to_list({1,2,3}, -2147483648, -2147483646)
++        } 0]
++        assert_match {_NIL_ _NIL_ _NIL_} $res
++    } {}
++
+     test {EVAL - JSON numeric decoding} {
+         # We must return the table as a string because otherwise
+         # Redis converts floats to ints and we get 0 and 1023 instead
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index 9e4b158b7a..e3a302e582 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2025-27151.patch \
            file://CVE-2025-32023.patch \
            file://CVE-2025-48367.patch \
+           file://CVE-2025-46817.patch \
            "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
 

From patchwork Thu Oct 16 10:10:18 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 72490
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 08520CCD183
	for <webhook@archiver.kernel.org>; Thu, 16 Oct 2025 10:10:42 +0000 (UTC)
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
 by mx.groups.io with SMTP id smtpd.web10.4461.1760609441012072834
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:41 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=VkiyUeRn;
 spf=pass (domain: mvista.com, ip: 209.85.214.179,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-2909448641eso5063715ad.1
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1760609440; x=1761214240;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=XhKdRj1sTimcQoF3rwq8tFSMZSuxR7ZGb4OGvvDwfoM=;
        b=VkiyUeRn7+jA1MThw/wrv9Pfn4dvFkIBvkACA4sVn676x/ziJwg12zhk/VCjUg9yWy
         ZyXoP3ShSfP7qQu6o2XofBn8UCoPlZwUh5meOC4kBETrZkNCN95qCES+7RJ0mDzRicNK
         WDQCy7CL+oqfisFwGs3IFKN6AY6jBowUaPX24=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760609440; x=1761214240;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=XhKdRj1sTimcQoF3rwq8tFSMZSuxR7ZGb4OGvvDwfoM=;
        b=jxVxYlSLwWaFXnYJyx5Xc48G6eW9kiXp3RrNesLyPGGx/9uxdutkESUgB1f7Fg+hKT
         KNHKYQsRF+4burh8lF1ePUCEkedzdCNZgvfyXRpTlrvVLKkhy5k8dXYf9mmkGShnoy+i
         sbsEDCCeF2xIQJx1WlXtWuhTsBtjZLx5Ru2EvHZwktI1CCCcoAWgJ8Py5KlhvT07ax8u
         RLoEnwFjN7cXlmnBJK/67ZUd1Di0h4QfGUk0uSJi6ZXDPlx0+jkSiYqDs/autCEs0rmK
         e3pA5GLsbZMpRpNv8Lb7BLKVokYIed4yvZa6gCvb6yy2BkYySZv+AMh4659aelMnbEaT
         zpKQ==
X-Gm-Message-State: AOJu0YxLmsdKT05WdDr/VNsZNGMMaes7bdu/3NZOLe3BUGcupxs6SKwH
	x7tJTvz1gW520cWrbvVtsjA7wkhII+pG+ZuYqwtMoC8DGYN4vLJwbTYrr+wYAVpAkr6M3Ygnh3d
	ZZGxlHTE=
X-Gm-Gg: ASbGncvwvUjwkhEQ2xEJ8NdMRVcEPOwfuSB93Gh+At0GtEA93vt7SUdhkZAISdnU0+a
	osTyHhSPXBXabE4aLkJLk50LkiT3z5OfMhmFDN9xGYXEVg8Qt7IJTNIQ3nwDNb8V4fashXQuSiI
	GNn06z2k0mQBgTxg0fEBHmBjsfg34Hkj/Saoo2By1ni0Oqv+ZE9yh8uflMYxlPhVLWHRWt76QQR
	kGCGQE6IQCHCFfHdlvvyN2TMBkHWRckmHZAgr+XjDI8pfllO75XId2i5bSfZ0c7a39oA3dIt+Xq
	/fXrfmuT8mN36TLu9lffbS3ZFm9/IFyCpn9e5EV7GUGX5ZJMqmZgl2PfTIZvMGq5u0uYS0ABwjw
	YYpkJQX3WHlqsRumcrESyKGP6kylDDkZfuFv905HJ31aUaXlojN0gRenwSAK8TfVcf1yipr1uSR
	Q4jk+JRfNqfiXGZ8M=
X-Google-Smtp-Source: 
 AGHT+IG/RyKEzhF4WhfcHY+2dsfYjD5ld6LoJD0e8ZJn9orOYCd5k1mTTtER97zi1om8dg4C7QQbdg==
X-Received: by 2002:a17:902:e750:b0:26c:4085:e3ef with SMTP id
 d9443c01a7336-29091b390e9mr39800615ad.21.1760609439826;
        Thu, 16 Oct 2025 03:10:39 -0700 (PDT)
Received: from localhost.localdomain
 ([2401:4900:8fcc:1614:2a1b:7928:3155:7a64])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29099a7cebbsm24617685ad.64.2025.10.16.03.10.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Oct 2025 03:10:39 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-devel@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [oe][meta-oe][kirkstone][PATCH 5/7] redis: Fix CVE-2025-46818
Date: Thu, 16 Oct 2025 15:40:18 +0530
Message-Id: <20251016101020.279084-5-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20251016101020.279084-1-vanusuri@mvista.com>
References: <20251016101020.279084-1-vanusuri@mvista.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 16 Oct 2025 10:10:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120733

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://github.com/redis/redis/commit/dccb672d838f05c940f040c27b74fde6fb47b2a7

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../redis/redis-7.0.13/CVE-2025-46818.patch   | 283 ++++++++++++++++++
 .../recipes-extended/redis/redis_7.0.13.bb    |   1 +
 2 files changed, 284 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46818.patch

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46818.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46818.patch
new file mode 100644
index 0000000000..0f7fc15cfc
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46818.patch
@@ -0,0 +1,283 @@
+From dccb672d838f05c940f040c27b74fde6fb47b2a7 Mon Sep 17 00:00:00 2001
+From: Ozan Tezcan <ozantezcan@gmail.com>
+Date: Mon, 23 Jun 2025 12:10:12 +0300
+Subject: [PATCH] Lua script can be executed in the context of another user
+ (CVE-2025-46818)
+
+Upstream-Status: Backport [https://github.com/redis/redis/commit/dccb672d838f05c940f040c27b74fde6fb47b2a7]
+CVE: CVE-2025-46818
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/config.c             |  1 +
+ src/eval.c               |  2 ++
+ src/function_lua.c       |  2 ++
+ src/script_lua.c         | 59 +++++++++++++++++++++++++++++----
+ src/script_lua.h         |  1 +
+ src/server.h             |  1 +
+ tests/unit/scripting.tcl | 70 ++++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 129 insertions(+), 7 deletions(-)
+
+diff --git a/src/config.c b/src/config.c
+index bfb49ef..d232eaf 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -3011,6 +3011,7 @@ standardConfig static_configs[] = {
+     createBoolConfig("latency-tracking", NULL, MODIFIABLE_CONFIG, server.latency_tracking_enabled, 1, NULL, NULL),
+     createBoolConfig("aof-disable-auto-gc", NULL, MODIFIABLE_CONFIG, server.aof_disable_auto_gc, 0, NULL, updateAofAutoGCEnabled),
+     createBoolConfig("replica-ignore-disk-write-errors", NULL, MODIFIABLE_CONFIG, server.repl_ignore_disk_write_error, 0, NULL, NULL),
++    createBoolConfig("lua-enable-deprecated-api", NULL, IMMUTABLE_CONFIG | HIDDEN_CONFIG, server.lua_enable_deprecated_api, 0, NULL, NULL),
+ 
+     /* String Configs */
+     createStringConfig("aclfile", NULL, IMMUTABLE_CONFIG, ALLOW_EMPTY_STRING, server.acl_filename, "", NULL, NULL),
+diff --git a/src/eval.c b/src/eval.c
+index a562335..f39ccc9 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -261,6 +261,8 @@ void scriptingInit(int setup) {
+     /* Recursively lock all tables that can be reached from the global table */
+     luaSetTableProtectionRecursively(lua);
+     lua_pop(lua, 1);
++    /* Set metatables of basic types (string, number, nil etc.) readonly. */
++    luaSetTableProtectionForBasicTypes(lua);
+ 
+     lctx.lua = lua;
+ }
+diff --git a/src/function_lua.c b/src/function_lua.c
+index aedadb0..9450437 100644
+--- a/src/function_lua.c
++++ b/src/function_lua.c
+@@ -490,6 +490,8 @@ int luaEngineInitEngine() {
+     lua_enablereadonlytable(lua_engine_ctx->lua, -1, 1); /* protect the new global table */
+     lua_replace(lua_engine_ctx->lua, LUA_GLOBALSINDEX); /* set new global table as the new globals */
+ 
++    /* Set metatables of basic types (string, number, nil etc.) readonly. */
++    luaSetTableProtectionForBasicTypes(lua_engine_ctx->lua);
+ 
+     engine *lua_engine = zmalloc(sizeof(*lua_engine));
+     *lua_engine = (engine) {
+diff --git a/src/script_lua.c b/src/script_lua.c
+index 33ed2aa..25a798f 100644
+--- a/src/script_lua.c
++++ b/src/script_lua.c
+@@ -65,7 +65,6 @@ static char *redis_api_allow_list[] = {
+ static char *lua_builtins_allow_list[] = {
+     "xpcall",
+     "tostring",
+-    "getfenv",
+     "setmetatable",
+     "next",
+     "assert",
+@@ -86,15 +85,16 @@ static char *lua_builtins_allow_list[] = {
+     "loadstring",
+     "ipairs",
+     "_VERSION",
+-    "setfenv",
+     "load",
+     "error",
+     NULL,
+ };
+ 
+-/* Lua builtins which are not documented on the Lua documentation */
+-static char *lua_builtins_not_documented_allow_list[] = {
++/* Lua builtins which are deprecated for sandboxing concerns */
++static char *lua_builtins_deprecated[] = {
+     "newproxy",
++    "setfenv",
++    "getfenv",
+     NULL,
+ };
+ 
+@@ -116,7 +116,6 @@ static char **allow_lists[] = {
+     libraries_allow_list,
+     redis_api_allow_list,
+     lua_builtins_allow_list,
+-    lua_builtins_not_documented_allow_list,
+     lua_builtins_removed_after_initialization_allow_list,
+     NULL,
+ };
+@@ -1323,7 +1322,22 @@ static int luaNewIndexAllowList(lua_State *lua) {
+             break;
+         }
+     }
+-    if (!*allow_l) {
++
++    int allowed = (*allow_l != NULL);
++    /* If not explicitly allowed, check if it's a deprecated function. If so,
++     * allow it only if 'lua_enable_deprecated_api' config is enabled. */
++    int deprecated = 0;
++    if (!allowed) {
++        char **c = lua_builtins_deprecated;
++        for (; *c; ++c) {
++            if (strcmp(*c, variable_name) == 0) {
++                deprecated = 1;
++                allowed = server.lua_enable_deprecated_api ? 1 : 0;
++                break;
++            }
++        }
++    }
++    if (!allowed) {
+         /* Search the value on the back list, if its there we know that it was removed
+          * on purpose and there is no need to print a warning. */
+         char **c = deny_list;
+@@ -1332,7 +1346,7 @@ static int luaNewIndexAllowList(lua_State *lua) {
+                 break;
+             }
+         }
+-        if (!*c) {
++        if (!*c && !deprecated) {
+             serverLog(LL_WARNING, "A key '%s' was added to Lua globals which is not on the globals allow list nor listed on the deny list.", variable_name);
+         }
+     } else {
+@@ -1384,6 +1398,37 @@ void luaSetTableProtectionRecursively(lua_State *lua) {
+     }
+ }
+ 
++/* Set the readonly flag on the metatable of basic types (string, nil etc.) */
++void luaSetTableProtectionForBasicTypes(lua_State *lua) {
++    static const int types[] = {
++        LUA_TSTRING,
++        LUA_TNUMBER,
++        LUA_TBOOLEAN,
++        LUA_TNIL,
++        LUA_TFUNCTION,
++        LUA_TTHREAD,
++        LUA_TLIGHTUSERDATA
++    };
++
++    for (size_t i = 0; i < sizeof(types) / sizeof(types[0]); i++) {
++        /* Push a dummy value of the type to get its metatable */
++        switch (types[i]) {
++            case LUA_TSTRING: lua_pushstring(lua, ""); break;
++            case LUA_TNUMBER: lua_pushnumber(lua, 0); break;
++            case LUA_TBOOLEAN: lua_pushboolean(lua, 0); break;
++            case LUA_TNIL: lua_pushnil(lua); break;
++            case LUA_TFUNCTION: lua_pushcfunction(lua, NULL); break;
++            case LUA_TTHREAD: lua_newthread(lua); break;
++            case LUA_TLIGHTUSERDATA: lua_pushlightuserdata(lua, (void*)lua); break;
++        }
++        if (lua_getmetatable(lua, -1)) {
++            luaSetTableProtectionRecursively(lua);
++            lua_pop(lua, 1); /* pop metatable */
++        }
++        lua_pop(lua, 1); /* pop dummy value */
++    }
++}
++
+ void luaRegisterVersion(lua_State* lua) {
+     lua_pushstring(lua,"REDIS_VERSION_NUM");
+     lua_pushnumber(lua,REDIS_VERSION_NUM);
+diff --git a/src/script_lua.h b/src/script_lua.h
+index 4c2b348..d8a3688 100644
+--- a/src/script_lua.h
++++ b/src/script_lua.h
+@@ -71,6 +71,7 @@ void luaRegisterGlobalProtectionFunction(lua_State *lua);
+ void luaSetErrorMetatable(lua_State *lua);
+ void luaSetAllowListProtection(lua_State *lua);
+ void luaSetTableProtectionRecursively(lua_State *lua);
++void luaSetTableProtectionForBasicTypes(lua_State *lua);
+ void luaRegisterLogFunction(lua_State* lua);
+ void luaRegisterVersion(lua_State* lua);
+ void luaPushErrorBuff(lua_State *lua, sds err_buff);
+diff --git a/src/server.h b/src/server.h
+index 82e4db9..952135f 100644
+--- a/src/server.h
++++ b/src/server.h
+@@ -1900,6 +1900,7 @@ struct redisServer {
+     mstime_t busy_reply_threshold;  /* Script / module timeout in milliseconds */
+     int pre_command_oom_state;         /* OOM before command (script?) was started */
+     int script_disable_deny_script;    /* Allow running commands marked "no-script" inside a script. */
++    int lua_enable_deprecated_api;     /* Config to enable deprecated api */
+     /* Lazy free */
+     int lazyfree_lazy_eviction;
+     int lazyfree_lazy_expire;
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index d2fd6da..58f2028 100644
+--- a/tests/unit/scripting.tcl
++++ b/tests/unit/scripting.tcl
+@@ -1021,6 +1021,27 @@ start_server {tags {"scripting"}} {
+         set _ $e
+     } {*Attempt to modify a readonly table*}
+ 
++    test "Try trick readonly table on basic types metatable" {
++        # Run the following scripts for basic types. Either getmetatable()
++        # should return nil or the metatable must be readonly.
++        set scripts {
++            {getmetatable(nil).__index = function() return 1 end}
++            {getmetatable('').__index = function() return 1 end}
++            {getmetatable(123.222).__index = function() return 1 end}
++            {getmetatable(true).__index = function() return 1 end}
++            {getmetatable(function() return 1 end).__index = function() return 1 end}
++            {getmetatable(coroutine.create(function() return 1 end)).__index = function() return 1 end}
++        }
++
++        foreach code $scripts {
++            catch {run_script $code 0} e
++            assert {
++                [string match "*attempt to index a nil value script*" $e] ||
++                [string match "*Attempt to modify a readonly table*" $e]
++            }
++        }
++    }
++
+     test "Test loadfile are not available" {
+         catch {
+             run_script {
+@@ -1049,6 +1070,55 @@ start_server {tags {"scripting"}} {
+     } {*Script attempted to access nonexistent global variable 'print'*}
+ }
+ 
++# Start a new server to test lua-enable-deprecated-api config
++foreach enabled {no yes} {
++start_server [subst {tags {"scripting external:skip"} overrides {lua-enable-deprecated-api $enabled}}] {
++    test "Test setfenv availability lua-enable-deprecated-api=$enabled" {
++        catch {
++            run_script {
++                local f = function() return 1 end
++                setfenv(f, {})
++                return 0
++            } 0
++        } e
++        if {$enabled} {
++            assert_equal $e 0
++        } else {
++            assert_match {*Script attempted to access nonexistent global variable 'setfenv'*} $e
++        }
++    }
++
++    test "Test getfenv availability lua-enable-deprecated-api=$enabled" {
++        catch {
++            run_script {
++                local f = function() return 1 end
++                getfenv(f)
++                return 0
++            } 0
++        } e
++        if {$enabled} {
++            assert_equal $e 0
++        } else {
++            assert_match {*Script attempted to access nonexistent global variable 'getfenv'*} $e
++        }
++    }
++
++    test "Test newproxy availability lua-enable-deprecated-api=$enabled" {
++        catch {
++            run_script {
++                getmetatable(newproxy(true)).__gc = function() return 1 end
++                return 0
++            } 0
++        } e
++        if {$enabled} {
++            assert_equal $e 0
++        } else {
++            assert_match {*Script attempted to access nonexistent global variable 'newproxy'*} $e
++        }
++    }
++}
++}
++
+ # Start a new server since the last test in this stanza will kill the
+ # instance at all.
+ start_server {tags {"scripting"}} {
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index e3a302e582..be4e90564d 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2025-32023.patch \
            file://CVE-2025-48367.patch \
            file://CVE-2025-46817.patch \
+           file://CVE-2025-46818.patch \
            "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
 

From patchwork Thu Oct 16 10:10:19 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 72494
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0C7A4CCD19A
	for <webhook@archiver.kernel.org>; Thu, 16 Oct 2025 10:10:52 +0000 (UTC)
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
 by mx.groups.io with SMTP id smtpd.web11.4599.1760609443591950778
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:43 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=HYfPaKE9;
 spf=pass (domain: mvista.com, ip: 209.85.214.180,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-2907948c1d2so5868535ad.3
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1760609442; x=1761214242;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8zVbTalNGl9SmRf1qRmjQkgPhrjgWd3Ta0bM2epJxkQ=;
        b=HYfPaKE9DPCcbM+ubowHJPCdfF0HwE1hXaM2+EnuoyhCcdHczZCo3VxszRM/QJrsG0
         4Pjd1TqUPW5pnAGu1ajOrtURaR4wC+kWTWv0cxVj+aVutotbOTm0eBRir+l+XRMBLoxa
         jWqIOo69ynwm1HOWbHho7UQiqvjM7h+IO+aac=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760609442; x=1761214242;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=8zVbTalNGl9SmRf1qRmjQkgPhrjgWd3Ta0bM2epJxkQ=;
        b=PsTpOmEEPchgN2dW6eMJdKsgPy+hzrKvfDV3IHAc8tpr7RE6dPYxZV5H/Rr/H6CcGZ
         abIgYWSbRjoS1QhKFpoknw1gXGmsCVmxU44GPe6q/v0YfrkEh0R8L2VOyHbmJhTJbqhK
         fTXHYvRB+IKizgWzW7uZi4vD9fM38mZe33mfarXnOQMAHHQxnphGZu3MOdbCZoL64eCJ
         EUgEB0nxbuBitPqfhl2udbbDjRqYAe10QDkCl2kXdlUyimQghCAWyxGN9ZJ9kZWV6S0a
         js8JPOAe0adexYuKoJvQ5mSKyNTN+GudfZh1cAQGu4pzdAf+03wl6hBaxkLFj4vDhxt3
         gVBg==
X-Gm-Message-State: AOJu0YxCj2FWry8iqzY5EKIcDq+vwBMVsIZECu8Oum06qHXkwD8vXUuQ
	pYla4+eB2ew0LOwD8JN8ZlwGsuFpUVQi9jYnUlbGlPgq8EePp59HPt+goZ1cXhDkXGjx4NfGwqI
	CYLmvbSQ=
X-Gm-Gg: ASbGncuE6SfgF/Re3t3b7IrTvZoVWiC+CwBjuaMsuh9wnxzwiGe+kHl+9triSSWQTve
	H30tCPxEFtv+p6nFH4vlJVaa/jehd7q9K9a4SAC4M8HRQhzLuCIT33CtU8ogUggB18KWuQloS7h
	B0fnhGPUjtHE5n+9X/CHjSD+0VzAGiWAfFIixmWUuRV/ph8AQgaWlpDz+LuI9RpSdD5+oWdD6vY
	lNvldkcVWzr52qaddRKX5Ic0YTX7e3NC/PW6YEQElihHasluTCopqoh5Ry8GskBrI5Q/Ju9hcQp
	SOvfZWev+CotGujvdQ/oZTl4fnBPWfT69FA8Bj+oOs575mSrryLyIthePxw/sqHkJfv6Zk5nNHx
	tO9zWDaTkHYK3M9vv0hfKnON904ANpazCLKlmwf2Gpe8LEeCesSP3I1iroi0RwFHyBMBRFyUVNa
	O41oDCVRVhG72KUz3E5562wHh9HA==
X-Google-Smtp-Source: 
 AGHT+IEVq0CRUsMJHgVs17+pdbWFkJkz/CE0GUu78XNjtXX6dac9d8i9gzs1IFSJHTUe/QOkWHLzTw==
X-Received: by 2002:a17:902:d50f:b0:278:9051:8ea9 with SMTP id
 d9443c01a7336-290272dc4a7mr439383985ad.40.1760609442448;
        Thu, 16 Oct 2025 03:10:42 -0700 (PDT)
Received: from localhost.localdomain
 ([2401:4900:8fcc:1614:2a1b:7928:3155:7a64])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29099a7cebbsm24617685ad.64.2025.10.16.03.10.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Oct 2025 03:10:41 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-devel@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [oe][meta-oe][kirkstone][PATCH 6/7] redis: Fix CVE-2025-46819
Date: Thu, 16 Oct 2025 15:40:19 +0530
Message-Id: <20251016101020.279084-6-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20251016101020.279084-1-vanusuri@mvista.com>
References: <20251016101020.279084-1-vanusuri@mvista.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 16 Oct 2025 10:10:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120734

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../redis/redis-7.0.13/CVE-2025-46819.patch   | 161 ++++++++++++++++++
 .../recipes-extended/redis/redis_7.0.13.bb    |   1 +
 2 files changed, 162 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch
new file mode 100644
index 0000000000..8f30cce7df
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch
@@ -0,0 +1,161 @@
+From 2802b52b554cb9f0f249a24474c9fba94e933dbb Mon Sep 17 00:00:00 2001
+From: Ozan Tezcan <ozantezcan@gmail.com>
+Date: Mon, 23 Jun 2025 12:11:31 +0300
+Subject: [PATCH] LUA out-of-bound read (CVE-2025-46819)
+
+Upstream-Status: Backport [https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb]
+CVE: CVE-2025-46819
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ deps/lua/src/llex.c      | 34 ++++++++++++++++++-----------
+ tests/unit/scripting.tcl | 47 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 13 deletions(-)
+
+diff --git a/deps/lua/src/llex.c b/deps/lua/src/llex.c
+index 88c6790..efad709 100644
+--- a/deps/lua/src/llex.c
++++ b/deps/lua/src/llex.c
+@@ -138,6 +138,7 @@ static void inclinenumber (LexState *ls) {
+ 
+ 
+ void luaX_setinput (lua_State *L, LexState *ls, ZIO *z, TString *source) {
++  ls->t.token = 0;
+   ls->decpoint = '.';
+   ls->L = L;
+   ls->lookahead.token = TK_EOS;  /* no look-ahead token */
+@@ -206,9 +207,13 @@ static void read_numeral (LexState *ls, SemInfo *seminfo) {
+     trydecpoint(ls, seminfo); /* try to update decimal point separator */
+ }
+ 
+-
+-static int skip_sep (LexState *ls) {
+-  int count = 0;
++/*
++** reads a sequence '[=*[' or ']=*]', leaving the last bracket.
++** If a sequence is well-formed, return its number of '='s + 2; otherwise,
++** return 1 if there is no '='s or 0 otherwise (an unfinished '[==...').
++*/
++static size_t skip_sep (LexState *ls) {
++  size_t count = 0;
+   int s = ls->current;
+   lua_assert(s == '[' || s == ']');
+   save_and_next(ls);
+@@ -216,11 +221,13 @@ static int skip_sep (LexState *ls) {
+     save_and_next(ls);
+     count++;
+   }
+-  return (ls->current == s) ? count : (-count) - 1;
++   return (ls->current == s) ? count + 2
++          : (count == 0) ? 1
++          : 0;
+ }
+ 
+ 
+-static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) {
++static void read_long_string (LexState *ls, SemInfo *seminfo, size_t sep) {
+   int cont = 0;
+   (void)(cont);  /* avoid warnings when `cont' is not used */
+   save_and_next(ls);  /* skip 2nd `[' */
+@@ -270,8 +277,8 @@ static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) {
+     }
+   } endloop:
+   if (seminfo)
+-    seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + (2 + sep),
+-                                     luaZ_bufflen(ls->buff) - 2*(2 + sep));
++    seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + sep,
++                                     luaZ_bufflen(ls->buff) - 2 * sep);
+ }
+ 
+ 
+@@ -346,9 +353,9 @@ static int llex (LexState *ls, SemInfo *seminfo) {
+         /* else is a comment */
+         next(ls);
+         if (ls->current == '[') {
+-          int sep = skip_sep(ls);
++          size_t sep = skip_sep(ls);
+           luaZ_resetbuffer(ls->buff);  /* `skip_sep' may dirty the buffer */
+-          if (sep >= 0) {
++          if (sep >= 2) {
+             read_long_string(ls, NULL, sep);  /* long comment */
+             luaZ_resetbuffer(ls->buff);
+             continue;
+@@ -360,13 +367,14 @@ static int llex (LexState *ls, SemInfo *seminfo) {
+         continue;
+       }
+       case '[': {
+-        int sep = skip_sep(ls);
+-        if (sep >= 0) {
++        size_t sep = skip_sep(ls);
++        if (sep >= 2) {
+           read_long_string(ls, seminfo, sep);
+           return TK_STRING;
+         }
+-        else if (sep == -1) return '[';
+-        else luaX_lexerror(ls, "invalid long string delimiter", TK_STRING);
++        else if (sep == 0)  /* '[=...' missing second bracket */
++          luaX_lexerror(ls, "invalid long string delimiter", TK_STRING);
++        return '[';
+       }
+       case '=': {
+         next(ls);
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 58f2028..2ff0d44 100644
+--- a/tests/unit/scripting.tcl
++++ b/tests/unit/scripting.tcl
+@@ -1070,6 +1070,53 @@ start_server {tags {"scripting"}} {
+     } {*Script attempted to access nonexistent global variable 'print'*}
+ }
+ 
++# start a new server to test the large-memory tests
++start_server {tags {"scripting external:skip large-memory"}} {
++
++    test {EVAL - JSON string encoding a string larger than 2GB} {
++        run_script {
++            local s = string.rep("a", 1024 * 1024 * 1024)
++            return #cjson.encode(s..s..s)
++        } 0
++    } {3221225474} ;# length includes two double quotes at both ends
++
++    test {EVAL - Test long escape sequences for strings} {
++        run_script {
++            -- Generate 1gb '==...==' separator
++            local s = string.rep('=', 1024 * 1024)
++            local t = {} for i=1,1024 do t[i] = s end
++            local sep = table.concat(t)
++            collectgarbage('collect')
++
++            local code = table.concat({'return [',sep,'[x]',sep,']'})
++            collectgarbage('collect')
++
++            -- Load the code and run it. Script will return the string length.
++            -- Escape sequence: [=....=[ to ]=...=] will be ignored
++            -- Actual string is a single character: 'x'. Script will return 1
++            local func = loadstring(code)
++            return #func()
++        } 0
++    } {1}
++
++    test {EVAL - Lua can parse string with too many new lines} {
++        # Create a long string consisting only of newline characters. When Lua
++        # fails to parse a string, it typically includes a snippet like
++        # "... near ..." in the error message to indicate the last recognizable
++        # token. In this test, since the input contains only newlines, there
++        # should be no identifiable token, so the error message should contain
++        # only the actual error, without a near clause.
++
++        run_script {
++           local s = string.rep('\n', 1024 * 1024)
++           local t = {} for i=1,2048 do t[#t+1] = s end
++           local lines = table.concat(t)
++           local fn, err = loadstring(lines)
++           return err
++        } 0
++    } {*chunk has too many lines}
++}
++
+ # Start a new server to test lua-enable-deprecated-api config
+ foreach enabled {no yes} {
+ start_server [subst {tags {"scripting external:skip"} overrides {lua-enable-deprecated-api $enabled}}] {
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index be4e90564d..295dc0e429 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2025-48367.patch \
            file://CVE-2025-46817.patch \
            file://CVE-2025-46818.patch \
+           file://CVE-2025-46819.patch \
            "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
 

From patchwork Thu Oct 16 10:10:20 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vijay Anusuri <vanusuri@mvista.com>
X-Patchwork-Id: 72493
Return-Path: <vanusuri@mvista.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0C769CCD194
	for <webhook@archiver.kernel.org>; Thu, 16 Oct 2025 10:10:52 +0000 (UTC)
Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com
 [209.85.214.169])
 by mx.groups.io with SMTP id smtpd.web10.4463.1760609445891368381
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:45 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@mvista.com header.s=google header.b=blU9bLhJ;
 spf=pass (domain: mvista.com, ip: 209.85.214.169,
 mailfrom: vanusuri@mvista.com)
Received: by mail-pl1-f169.google.com with SMTP id
 d9443c01a7336-290c2b6a6c2so427965ad.1
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 16 Oct 2025 03:10:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mvista.com; s=google; t=1760609445; x=1761214245;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qMs5m0e/1SZwP7FXRBi9jc4sjk7t+0w7s/MYoRsRMI8=;
        b=blU9bLhJI+eLK0WrhdmhVoOmHGo9PjdEeqo3d+l/2B/ZMuuA7xIIRfm1AARmv5XUs+
         GRnFzxPZT/IJu1zw4/8YAsLghPv+Cb46ZTQpcNyAAMkKQ5zdaPbtpXMgT9jQ9qhecMMk
         7ZvO+5nACL7qcpaRwr2Js1zP1VkuXr2yyeCIY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760609445; x=1761214245;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=qMs5m0e/1SZwP7FXRBi9jc4sjk7t+0w7s/MYoRsRMI8=;
        b=IPezdkYXZpZ2ujpsqu/gWhy8dl843IMaQbGnFssnmEZrGLwS0rie5hnTQM4JV55cYY
         0/P0AxDSR2KhXroS2XMDoscIyqbtz3qFksUm1aUddCIG8HJAA3CaFwhsSuEGBY034cN4
         mNe4KYRzWzVPJ9a1MEo/Nxdbk4AT2wvxZp+7uw37sgRtXgBr0fi547jatfmHdIGR05Dp
         2Vd6xqpGvUc9GZWSW2xzPt/BggWDvXF6qtpmLN51N6Iyb2jsF1XT07sahNiijgH4EAnO
         xAA3jDb3jDLk1g7/7ZaKJtnmDFZsKyonGp1dXd7loWRWH6gbQHCuc0HJ7CjBPA1bMHKD
         kfEA==
X-Gm-Message-State: AOJu0YwXvxu0nh76ULL93ZGUP7t8JIVGQ47xZs1ojLiMdheelhqQG0+F
	h4Cf5nyHp64oVwUyQlAs4IMgV7M9SJvtrssLYiPWcsyAn8stM3LH9B/+51y+RsSmJ3ASyqL0hwR
	UXoVzwDI=
X-Gm-Gg: ASbGncthA6aZTxbomP1q0ni5KtW5Kz6HeSs6kbfB1Kd1tMM5sE4kYVN6oJwWHSa96OS
	NRKnkxeY1ngTmx+XIAUIl8r3lBcRTJ67kWsmDpIPZtSMKvP2OgqiOBlxLp/KjcUnuTlw9q9KM1j
	j2qUhp/xc2D2wzkXnfXv7n/XomNxn/O9Yo4NtNWJsaO+YAqnRqRtIbeNuEIKqNGQTmbVlk8LrZv
	6M+3W1uFd6TMF/cWVJ6SBSlcnPPN6EoPJ+mHgYRq/AzxCH6PzoSUePIKqdYKFOaq0/Hlrx4p3Xz
	f7ZEZ8Cs02AEyzDWF39BY/H6yzoAKsAqWzzhShWvXov18lJ3eTAlGDjQH2giP3iustBybMj4IKS
	StlUj59A97NAwHAesz0jknCUlDpvbs6u9H7pAu8wE4FjUIpWUFVTJ/GHV7J2Rm9xQ0t9QIxMe0p
	ckckm9qWPoFPZVqsY=
X-Google-Smtp-Source: 
 AGHT+IGrLQoIy3pseJhK916sJA+PGwMRS3dUM59LM0DYStrZSWFGArY5PTtk6aBAKUBsc+JHdNXj+Q==
X-Received: by 2002:a17:902:f609:b0:282:2c52:5094 with SMTP id
 d9443c01a7336-290272c31d0mr411453515ad.37.1760609444746;
        Thu, 16 Oct 2025 03:10:44 -0700 (PDT)
Received: from localhost.localdomain
 ([2401:4900:8fcc:1614:2a1b:7928:3155:7a64])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29099a7cebbsm24617685ad.64.2025.10.16.03.10.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Oct 2025 03:10:44 -0700 (PDT)
From: vanusuri@mvista.com
To: openembedded-devel@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [oe][meta-oe][kirkstone][PATCH 7/7] redis: Fix CVE-2025-49844
Date: Thu, 16 Oct 2025 15:40:20 +0530
Message-Id: <20251016101020.279084-7-vanusuri@mvista.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20251016101020.279084-1-vanusuri@mvista.com>
References: <20251016101020.279084-1-vanusuri@mvista.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 16 Oct 2025 10:10:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/120735

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://github.com/redis/redis/commit/db884a49bfbbccd7a0463ddc6aa486b52f28386f

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../redis/redis-7.0.13/CVE-2025-49844.patch   | 35 +++++++++++++++++++
 .../recipes-extended/redis/redis_7.0.13.bb    |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-49844.patch

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-49844.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-49844.patch
new file mode 100644
index 0000000000..0a5fa12b77
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-49844.patch
@@ -0,0 +1,35 @@
+From db884a49bfbbccd7a0463ddc6aa486b52f28386f Mon Sep 17 00:00:00 2001
+From: Mincho Paskalev <minchopaskal@gmail.com>
+Date: Mon, 23 Jun 2025 11:41:37 +0300
+Subject: [PATCH] Lua script may lead to remote code execution (CVE-2025-49844)
+
+Upstream-Status: Backport [https://github.com/redis/redis/commit/db884a49bfbbccd7a0463ddc6aa486b52f28386f]
+CVE: CVE-2025-49844
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ deps/lua/src/lparser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/deps/lua/src/lparser.c b/deps/lua/src/lparser.c
+index dda7488dcad..ee7d90c90d7 100644
+--- a/deps/lua/src/lparser.c
++++ b/deps/lua/src/lparser.c
+@@ -384,13 +384,17 @@ Proto *luaY_parser (lua_State *L, ZIO *z, Mbuffer *buff, const char *name) {
+   struct LexState lexstate;
+   struct FuncState funcstate;
+   lexstate.buff = buff;
+-  luaX_setinput(L, &lexstate, z, luaS_new(L, name));
++  TString *tname = luaS_new(L, name);
++  setsvalue2s(L, L->top, tname);
++  incr_top(L);
++  luaX_setinput(L, &lexstate, z, tname);
+   open_func(&lexstate, &funcstate);
+   funcstate.f->is_vararg = VARARG_ISVARARG;  /* main func. is always vararg */
+   luaX_next(&lexstate);  /* read first token */
+   chunk(&lexstate);
+   check(&lexstate, TK_EOS);
+   close_func(&lexstate);
++  --L->top;
+   lua_assert(funcstate.prev == NULL);
+   lua_assert(funcstate.f->nups == 0);
+   lua_assert(lexstate.fs == NULL);
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index 295dc0e429..c3d98694d5 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2025-46817.patch \
            file://CVE-2025-46818.patch \
            file://CVE-2025-46819.patch \
+           file://CVE-2025-49844.patch \
            "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"