From fa0bf7d850b4c2182ee0959f7a611a31bf8e9287 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Thu, 5 Jun 2025 15:32:46 +0800
Subject: [PATCH] Fix CVE-2025-49112

---
 CVE-2025-49112.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++
 redis.spec           |  6 +++++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-49112.patch

diff --git a/CVE-2025-49112.patch b/CVE-2025-49112.patch
new file mode 100644
index 0000000..6ef2a57
--- /dev/null
+++ b/CVE-2025-49112.patch
@@ -0,0 +1,50 @@
+From 374718b2a365ca69f715d542709b7d71540b1387 Mon Sep 17 00:00:00 2001
+From: Zeroday BYTE <github@zerodaysec.org>
+Date: Mon, 26 May 2025 18:57:00 +0700
+Subject: [PATCH] Fix unsigned difference expression compared to zero (#2101)
+
+Origin: https://github.com/valkey-io/valkey/commit/374718b2a365ca69f715d542709b7d71540b1387
+
+https://github.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886-L886
+
+Fix the issue need to ensure that the subtraction `prev->size -
+prev->used` does not underflow. This can be achieved by explicitly
+checking that `prev->used` is less than `prev->size` before performing
+the subtraction. This approach avoids relying on unsigned arithmetic and
+ensures the logic is clear and robust.
+
+The specific changes are:
+1. Replace the condition `prev->size - prev->used > 0` with `prev->used
+< prev->size`.
+2. This change ensures that the logic checks whether there is remaining
+space in the buffer without risking underflow.
+
+**References**
+[INT02-C. Understand integer conversion
+rules](https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules)
+[CWE-191](https://cwe.mitre.org/data/definitions/191.html)
+
+
+---
+
+Signed-off-by: Zeroday BYTE <github@zerodaysec.org>
+---
+ src/networking.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/networking.c b/src/networking.c
+index eb0b389..860fd89 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -780,7 +780,7 @@ void setDeferredReply(client *c, void *node, const char *s, size_t length) {
+      * - It has enough room already allocated
+      * - And not too large (avoid large memmove) */
+     if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) &&
+-        prev->size - prev->used > 0)
++        prev->used < prev->size)
+     {
+         size_t len_to_copy = prev->size - prev->used;
+         if (len_to_copy > length)
+-- 
+2.49.0
+
diff --git a/redis.spec b/redis.spec
index 93eea67..34f7e71 100644
--- a/redis.spec
+++ b/redis.spec
@@ -5,7 +5,7 @@
 
 Name:              redis
 Version:           8.0.2
-Release:           1
+Release:           2
 Summary:           A persistent key-value database
 License:           RSAL-2.0 OR SSPL-1.0 OR AGPL-3.0-or-later
 URL:               https://redis.io
@@ -20,6 +20,7 @@ Source7:           %{name}.sysusers
 # https://github.com/redis/redis/pull/3491 - man pages
 Patch0001:         0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
 Patch0002:         0002-add-sw_64-support.patch
+Patch0003:         CVE-2025-49112.patch
 
 BuildRequires:     systemd
 BuildRequires:     systemd-devel
@@ -183,6 +184,9 @@ install -p -D -m 0644 %{S:7} %{buildroot}%{_sysusersdir}/%{name}.conf
 %{_docdir}/%{name}
 
 %changelog
+* Thu Jun 05 2025 wangkai <13474090681@163.com> - 8.0.2-2
+- Fix CVE-2025-49112
+
 * Wed May 28 2025 Funda Wang <fundawang@yeah.net> - 8.0.2-1
 - update to 8.0.2
 
-- 
Gitee