Package: redis / 3:3.2.6-3+deb9u3

Metadata

Package Version Patches format
redis 3:3.2.6-3+deb9u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 fix ftbfs on kfreebsd.patch | (download)

deps/hiredis/net.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 fix ftbfs on kfreebsd
# Bug: https://github.com/redis/hiredis/pull/254
# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754634
0002 fix ftbfs on kfreebsd.patch | (download)

src/fmacros.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 fix ftbfs on kfreebsd
# Bug: https://github.com/antirez/redis/pull/67
# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632499
0003 use system jemalloc.patch | (download)

src/Makefile | 5 2 + 3 - 0 !
src/debug.c | 6 3 + 3 - 0 !
src/zmalloc.c | 8 4 + 4 - 0 !
src/zmalloc.h | 2 1 + 1 - 0 !
4 files changed, 10 insertions(+), 11 deletions(-)

 
 use-system-jemalloc
0004 dpkg buildflags.patch | (download)

deps/hiredis/Makefile | 2 1 + 1 - 0 !
deps/linenoise/Makefile | 2 1 + 1 - 0 !
src/Makefile | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 
 add cppflags in upstream makefiles
0005 SOURCE_DATE_EPOCH.patch | (download)

src/mkreleasehdr.sh | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 
 source_date_epoch
0006 Skip logging tests as not all architectures support .patch | (download)

tests/test_helper.tcl | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 
 skip logging tests as not all architectures support it yet
0008 Drop tests with timing issues.patch | (download)

tests/test_helper.tcl | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 
 drop tests with timing issues.
0009 Security fix redis cli buffer overflow.patch | (download)

src/redis-cli.c | 27 16 + 11 - 0 !
1 file changed, 16 insertions(+), 11 deletions(-)

 
 security: fix redis-cli buffer overflow.

Thanks to Fakhri Zulkifli for reporting it.

The fix switched to dynamic allocation, copying the final prompt in the
static buffer only at the end.
0010 Security fix Lua struct package offset handling.patch | (download)

deps/lua/src/lua_struct.c | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 
 security: fix lua struct package offset handling.

After the first fix to the struct package I found another similar
problem, which is fixed by this patch. It could be reproduced easily by
running the following script:

    return struct.unpack('f', "xxxxxxxxxxxxx",-3)
0011 Security more cmsgpack fixes by soloestoy.patch | (download)

deps/lua/src/lua_cmsgpack.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 
 security: more cmsgpack fixes by @soloestoy.

@soloestoy sent me this additional fixes, after searching for similar
problems to the one reported in mp_pack(). I'm committing the changes
because it was not possible during to make a public PR to protect Redis
users and give Redis providers some time to patch their systems.
0012 Security update Lua struct package for security.patch | (download)

deps/lua/src/lua_struct.c | 28 15 + 13 - 0 !
1 file changed, 15 insertions(+), 13 deletions(-)

 
 security: update lua struct package for security.

During an auditing Apple found that the "struct" Lua package
we ship with Redis (http://www.inf.puc-rio.br/~roberto/struct/) contains
a security problem. A bound-checking statement fails because of integer
overflow. The bug exists since we initially integrated this package with
Lua, when scripting was introduced, so every version of Redis with
EVAL/EVALSHA capabilities exposed is affected.

Instead of just fixing the bug, the library was updated to the latest
version shipped by the author.
0013 Security fix Lua cmsgpack library stack overflow.patch | (download)

deps/lua/src/lua_cmsgpack.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 
 security: fix lua cmsgpack library stack overflow.

During an auditing effort, the Apple Vulnerability Research team discovered
a critical Redis security issue affecting the Lua scripting part of Redis.

-- Description of the problem

Several years ago I merged a pull request including many small changes at
the Lua MsgPack library (that originally I authored myself). The Pull
Request entered Redis in commit 90b6337c1, in 2014.
Unfortunately one of the changes included a variadic Lua function that
lacked the check for the available Lua C stack. As a result, calling the
"pack" MsgPack library function with a large number of arguments, results
into pushing into the Lua C stack a number of new values proportional to
the number of arguments the function was called with. The pushed values,
moreover, are controlled by untrusted user input.

This in turn causes stack smashing which we believe to be exploitable,
while not very deterministic, but it is likely that an exploit could be
created targeting specific versions of Redis executables. However at its
minimum the issue results in a DoS, crashing the Redis server.

-- Versions affected

Versions greater or equal to Redis 2.8.18 are affected.

-- Reproducing

Reproduce with this (based on the original reproduction script by
Apple security team):

https://gist.github.com/antirez/82445fcbea6d9b19f97014cc6cc79f8a

-- Verification of the fix

The fix was tested in the following way:

1) I checked that the problem is no longer observable running the trigger.
2) The Lua code was analyzed to understand the stack semantics, and that
actually enough stack is allocated in all the cases of mp_pack() calls.
3) The mp_pack() function was modified in order to show exactly what items
in the stack were being set, to make sure that there is no silent overflow
even after the fix.

-- Credits

Thank you to the Apple team and to the other persons that helped me
checking the patch and coordinating this communication.
0014 CVE 2019 10192.patch | (download)

src/hyperloglog.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 
---