From c3ffd719ecda7f5beb6c335446bc244f0caa38e4 Mon Sep 17 00:00:00 2001 From: roy Date: Tue, 8 Oct 2024 09:53:43 +0800 Subject: [PATCH] Fixed CVE-2024-31228.patch. --- CVE-2024-31228.patch | 56 ++++++++++++++++++++++++++++++++++++++++++++ redis.spec | 7 +++++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-31228.patch diff --git a/CVE-2024-31228.patch b/CVE-2024-31228.patch new file mode 100644 index 0000000..337b026 --- /dev/null +++ b/CVE-2024-31228.patch @@ -0,0 +1,56 @@ +commit 9317bf64659b33166a943ec03d5d9b954e86afb0 +Author: Oran Agra +Date: Wed Oct 2 20:11:01 2024 +0300 + + Prevent pattern matching abuse (CVE-2024-31228) + +diff --git a/src/util.c b/src/util.c +index e122a2637..5763a2bd5 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -46,8 +46,11 @@ + + /* Glob-style pattern matching. */ + static int stringmatchlen_impl(const char *pattern, int patternLen, +- const char *string, int stringLen, int nocase, int *skipLongerMatches) ++ const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting) + { ++ /* Protection against abusive patterns. */ ++ if (nesting > 1000) return 0; ++ + while(patternLen && stringLen) { + switch(pattern[0]) { + case '*': +@@ -59,7 +62,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, + return 1; /* match */ + while(stringLen) { + if (stringmatchlen_impl(pattern+1, patternLen-1, +- string, stringLen, nocase, skipLongerMatches)) ++ string, stringLen, nocase, skipLongerMatches, nesting+1)) + return 1; /* match */ + if (*skipLongerMatches) + return 0; /* no match */ +@@ -181,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen, + int stringmatchlen(const char *pattern, int patternLen, + const char *string, int stringLen, int nocase) { + int skipLongerMatches = 0; +- return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches); ++ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0); + } + + int stringmatch(const char *pattern, const char *string, int nocase) { +diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl +index 92029a7c1..70bc2526f 100644 +--- a/tests/unit/keyspace.tcl ++++ b/tests/unit/keyspace.tcl +@@ -485,4 +485,10 @@ start_server {tags {"keyspace"}} { + r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1 + r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b" + } {} ++ ++ test {Regression for pattern matching very long nested loops} { ++ r flushdb ++ r SET [string repeat "a" 50000] 1 ++ r KEYS [string repeat "*?" 50000] ++ } {} + } diff --git a/redis.spec b/redis.spec index 3050066..254f43c 100644 --- a/redis.spec +++ b/redis.spec @@ -1,6 +1,6 @@ Name: redis Version: 4.0.14 -Release: 6 +Release: 7 Summary: A persistent key-value database License: BSD-3-Clause and MIT URL: https://redis.io @@ -22,6 +22,7 @@ Patch0010: CVE-2021-32672.patch Patch0011: CVE-2022-36021.patch Patch0012: CVE-2023-28856.patch Patch0013: CVE-2022-24834.patch +Patch0014: CVE-2024-31228.patch BuildRequires: systemd gcc Requires: /bin/awk @@ -52,6 +53,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s %patch0011 -p1 %patch0012 -p1 %patch0013 -p1 +%patch0014 -p1 %ifarch loongarch64 %_update_config_guess %_update_config_sub @@ -113,6 +115,9 @@ exit 0 %{_unitdir}/%{name}-sentinel.service %changelog +* Tue Oct 08 2024 Yu Peng - 4.0.14-7 +- Fix CVE-2024-31228 + * Mon Jul 31 2023 wangkai <13474090681@163.com> - 4.0.14-6 - Fix CVE-2022-24834 -- Gitee