diff --git a/CVE-2019-10192.patch b/CVE-2019-10192.patch new file mode 100644 index 0000000000000000000000000000000000000000..f0704467f0f3aeb2eb535f100123ec987afa8db2 --- /dev/null +++ b/CVE-2019-10192.patch @@ -0,0 +1,33 @@ +From 9f13b2bd4967334b1701c6eccdf53760cb13f79e Mon Sep 17 00:00:00 2001 +From: John Sully +Date: Thu, 14 Mar 2019 14:02:16 -0400 +Subject: [PATCH] Fix hyperloglog corruption + +--- + src/hyperloglog.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/hyperloglog.c b/src/hyperloglog.c +index fc21ea0065d..e993bf26e1d 100644 +--- a/src/hyperloglog.c ++++ b/src/hyperloglog.c +@@ -614,6 +614,10 @@ int hllSparseToDense(robj *o) { + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); ++ if ((runlen + idx) > HLL_REGISTERS) { ++ sdsfree(dense); ++ return C_ERR; ++ } + while(runlen--) { + HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval); + idx++; +@@ -1088,6 +1092,8 @@ int hllMerge(uint8_t *max, robj *hll) { + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); ++ if ((runlen + i) > HLL_REGISTERS) ++ return C_ERR; + while(runlen--) { + if (regval > max[i]) max[i] = regval; + i++; diff --git a/cve-2019-10192.patch b/cve-2019-10192.patch new file mode 100644 index 0000000000000000000000000000000000000000..e40dbe0b13450c752063a77ba0063cd615ae3e52 --- /dev/null +++ b/cve-2019-10192.patch @@ -0,0 +1,35 @@ +From e216ceaf0e099536fe3658a29dcb725d812364e0 Mon Sep 17 00:00:00 2001 +From: antirez +Date: Fri, 15 Mar 2019 17:16:06 +0100 +Subject: [PATCH] HyperLogLog: handle wrong offset in the base case. + +--- + src/hyperloglog.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/src/hyperloglog.c b/src/hyperloglog.c +index 526510b43b9..1e7ce3dceb7 100644 +--- a/src/hyperloglog.c ++++ b/src/hyperloglog.c +@@ -614,10 +614,7 @@ int hllSparseToDense(robj *o) { + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); +- if ((runlen + idx) > HLL_REGISTERS) { +- sdsfree(dense); +- return C_ERR; +- } ++ if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */ + while(runlen--) { + HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval); + idx++; +@@ -1097,8 +1094,7 @@ int hllMerge(uint8_t *max, robj *hll) { + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); +- if ((runlen + i) > HLL_REGISTERS) +- return C_ERR; ++ if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */ + while(runlen--) { + if (regval > max[i]) max[i] = regval; + i++; diff --git a/redis.spec b/redis.spec index c9e28fc789755f975e5cb108623ceb68530d3a60..f3b33ecdffe31eeb9931ad5b4fe6c093a98d1d37 100644 --- a/redis.spec +++ b/redis.spec @@ -1,6 +1,6 @@ Name: redis Version: 4.0.11 -Release: 3 +Release: 4 Summary: A persistent key-value database License: BSD and MIT URL: https://redis.io @@ -9,6 +9,11 @@ Source1: %{name}.logrotate Source2: %{name}-sentinel.service Source3: %{name}.service +#CVE fix +Patch0001: CVE-2019-10192.patch +#Optimization of the above problem +Patch0002: cve-2019-10192.patch + %description Redis is an advanced key-value store. It is often referred to as a dattructure server since keys can contain strings, hashes ,lists, sets anorted sets. @@ -55,6 +60,9 @@ install -pDm640 sentinel.conf %{buildroot}%{_sysconfdir}/%{name}-sentinel.conf %{_unitdir}/%{name}-sentinel.service %changelog +* Tue Mar 17 2020 wangye - 4.0.11-4 +- CVE fix + * Wed Jan 15 2020 zhujunhao - 4.0.11-3 - Modify redis service