From 80c4de130f70dee52c0da0cbfdfbd68059735b06 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Tue, 8 Jun 2021 10:40:20 +0800 Subject: [PATCH] Fix CVE-2021-29478 --- CVE-2021-29478.patch | 35 +++++++++++++++++++++++++++++++++++ redis.spec | 8 +++++++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-29478.patch diff --git a/CVE-2021-29478.patch b/CVE-2021-29478.patch new file mode 100644 index 0000000..c7002c2 --- /dev/null +++ b/CVE-2021-29478.patch @@ -0,0 +1,35 @@ +From ef78ba0a7793a0b6be026ec77ef3c7e919efa08a Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Mon, 3 May 2021 08:27:22 +0300 +Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478) + +An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and +potentially result with remote code execution. + +The vulnerability involves changing the default set-max-intset-entries +configuration value, creating a large set key that consists of integer values +and using the COPY command to duplicate it. + +The integer overflow bug exists in all versions of Redis starting with 2.6, +where it could result with a corrupted RDB or DUMP payload, but not exploited +through COPY (which did not exist before 6.2). +--- + src/intset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/intset.c b/src/intset.c +index 198c90a..8d35536 100644 +--- a/src/intset.c ++++ b/src/intset.c +@@ -278,7 +278,7 @@ uint32_t intsetLen(const intset *is) { + + /* Return intset blob size in bytes. */ + size_t intsetBlobLen(intset *is) { +- return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding); ++ return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding); + } + + #ifdef REDIS_TEST +-- +2.23.0 + diff --git a/redis.spec b/redis.spec index 16fe1ad..0902cab 100644 --- a/redis.spec +++ b/redis.spec @@ -1,6 +1,6 @@ Name: redis Version: 4.0.11 -Release: 16 +Release: 17 Summary: A persistent key-value database License: BSD and MIT URL: https://redis.io @@ -21,6 +21,8 @@ Patch0007: modify-aarch64-architecture-jemalloc-page-size-from-4k-to-64k.pa Patch0008: huawei-deps-jemalloc-support-riscv.patch Patch0009: CVE-2021-21309.patch Patch0010: CVE-2021-3470.patch +Patch0011: CVE-2021-29478.patch + BuildRequires: systemd gcc Requires: /bin/awk Requires: logrotate @@ -47,6 +49,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s %patch0008 -p1 %patch0009 -p1 %patch0010 -p1 +%patch0011 -p1 sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf @@ -104,6 +107,9 @@ exit 0 %{_unitdir}/%{name}-sentinel.service %changelog +* Tue Jun 08 2021 wangyue - 4.0.11-17 +- Fix CVE-2021-29478 + * Mon May 31 2021 huanghaitao - 4.0.11-16 - Completing build dependencies to fix gcc compiler missing error -- Gitee