Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <e1twzgn-009jbo...@coccia.debian.org>
and subject line Close 1088709
has caused the Debian Bug report #1088709,
regarding bookworm-pu: package redis/5:7.0.15-1~deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1088709: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088709
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Chris Lamb <la...@debian.org>, secur...@debian.org
* CVE-2024-31227: DoS with malformed ACL selectors
* CVE-2024-31228: unbounded pattern matching DoS
* CVE-2024-31449: Lua bit library stack overflow
Tagged moreinfo, as question to the security team whether they want
this in -pu or as DSA.
diffstat for redis-7.0.15 redis-7.0.15
changelog | 10 +
patches/0001-Apply-security-fixes-for-CVEs-1113.patch | 137 ++++++++++++++++++
patches/series | 1
3 files changed, 148 insertions(+)
diff -Nru redis-7.0.15/debian/changelog redis-7.0.15/debian/changelog
--- redis-7.0.15/debian/changelog 2024-01-16 12:13:26.000000000 +0200
+++ redis-7.0.15/debian/changelog 2024-11-28 23:28:52.000000000 +0200
@@ -1,3 +1,13 @@
+redis (5:7.0.15-1~deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-31227: DoS with malformed ACL selectors
+ * CVE-2024-31228: unbounded pattern matching DoS
+ * CVE-2024-31449: Lua bit library stack overflow
+ * Closes: 1084805
+
+ -- Adrian Bunk <b...@debian.org> Thu, 28 Nov 2024 23:28:52 +0200
+
redis (5:7.0.15-1~deb12u1) bookworm-security; urgency=high
* Rebuild of 5:7.0.15-1 from sid for bookworm-security.
diff -Nru
redis-7.0.15/debian/patches/0001-Apply-security-fixes-for-CVEs-1113.patch
redis-7.0.15/debian/patches/0001-Apply-security-fixes-for-CVEs-1113.patch
--- redis-7.0.15/debian/patches/0001-Apply-security-fixes-for-CVEs-1113.patch
1970-01-01 02:00:00.000000000 +0200
+++ redis-7.0.15/debian/patches/0001-Apply-security-fixes-for-CVEs-1113.patch
2024-11-28 23:28:52.000000000 +0200
@@ -0,0 +1,137 @@
+From d4214cde2bd6f80d06497b274e56f0b91a4daee1 Mon Sep 17 00:00:00 2001
+From: Madelyn Olson <madelyneol...@gmail.com>
+Date: Wed, 2 Oct 2024 13:11:08 -0700
+Subject: Apply security fixes for CVEs (#1113)
+
+Apply the security fixes for the release.
+
+(CVE-2024-31449) Lua library commands may lead to stack overflow and
+potential RCE.
+(CVE-2024-31227) Potential Denial-of-service due to malformed ACL
+selectors.
+(CVE-2024-31228) Potential Denial-of-service due to unbounded pattern
+matching.
+
+---------
+
+Signed-off-by: Madelyn Olson <madelyneol...@gmail.com>
+---
+ deps/lua/src/lua_bit.c | 1 +
+ src/acl.c | 2 +-
+ src/util.c | 9 ++++++---
+ tests/unit/acl-v2.tcl | 5 +++++
+ tests/unit/keyspace.tcl | 6 ++++++
+ tests/unit/scripting.tcl | 6 ++++++
+ 6 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
+index 9f83b8594..7e43faea4 100644
+--- a/deps/lua/src/lua_bit.c
++++ b/deps/lua/src/lua_bit.c
+@@ -132,6 +132,7 @@ static int bit_tohex(lua_State *L)
+ const char *hexdigits = "0123456789abcdef";
+ char buf[8];
+ int i;
++ if (n == INT32_MIN) n = INT32_MIN+1;
+ if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
+ if (n > 8) n = 8;
+ for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
+diff --git a/src/acl.c b/src/acl.c
+index 6d86093ca..6b53d901c 100644
+--- a/src/acl.c
++++ b/src/acl.c
+@@ -1036,7 +1036,7 @@ int ACLSetSelector(aclSelector *selector, const char*
op, size_t oplen) {
+ flags |= ACL_READ_PERMISSION;
+ } else if (toupper(op[offset]) == 'W' && !(flags &
ACL_WRITE_PERMISSION)) {
+ flags |= ACL_WRITE_PERMISSION;
+- } else if (op[offset] == '~') {
++ } else if (op[offset] == '~' && flags) {
+ offset++;
+ break;
+ } else {
+diff --git a/src/util.c b/src/util.c
+index 8ce2c5fca..3a4c9b037 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -51,8 +51,11 @@
+
+ /* Glob-style pattern matching. */
+ static int stringmatchlen_impl(const char *pattern, int patternLen,
+- const char *string, int stringLen, int nocase, int *skipLongerMatches)
++ const char *string, int stringLen, int nocase, int
*skipLongerMatches, int nesting)
+ {
++ /* Protection against abusive patterns. */
++ if (nesting > 1000) return 0;
++
+ while(patternLen && stringLen) {
+ switch(pattern[0]) {
+ case '*':
+@@ -64,7 +67,7 @@ static int stringmatchlen_impl(const char *pattern, int
patternLen,
+ return 1; /* match */
+ while(stringLen) {
+ if (stringmatchlen_impl(pattern+1, patternLen-1,
+- string, stringLen, nocase, skipLongerMatches))
++ string, stringLen, nocase, skipLongerMatches,
nesting+1))
+ return 1; /* match */
+ if (*skipLongerMatches)
+ return 0; /* no match */
+@@ -186,7 +189,7 @@ static int stringmatchlen_impl(const char *pattern, int
patternLen,
+ int stringmatchlen(const char *pattern, int patternLen,
+ const char *string, int stringLen, int nocase) {
+ int skipLongerMatches = 0;
+- return
stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
++ return
stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
+ }
+
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+diff --git a/tests/unit/acl-v2.tcl b/tests/unit/acl-v2.tcl
+index d836f9cb8..114fadec3 100644
+--- a/tests/unit/acl-v2.tcl
++++ b/tests/unit/acl-v2.tcl
+@@ -107,6 +107,11 @@ start_server {tags {"acl external:skip"}} {
+ assert_match "*NOPERM*keys*" $err
+ }
+
++ test {Validate read and write permissions format} {
++ catch {r ACL SETUSER key-permission-RW %~} err
++ set err
++ } {ERR Error in ACL SETUSER modifier '%~': Syntax error}
++
+ test {Test separate read and write permissions on different selectors are
not additive} {
+ r ACL SETUSER key-permission-RW-selector on nopass "(%R~read* +@all)"
"(%W~write* +@all)"
+ $r2 auth key-permission-RW-selector password
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index 437f71fa1..988389fcf 100644
+--- a/tests/unit/keyspace.tcl
++++ b/tests/unit/keyspace.tcl
+@@ -495,4 +495,10 @@ start_server {tags {"keyspace"}} {
+ r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
+ r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
+ } {}
++
++ test {Regression for pattern matching very long nested loops} {
++ r flushdb
++ r SET [string repeat "a" 50000] 1
++ r KEYS [string repeat "*?" 50000]
++ } {}
+ }
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 4b65131bf..cdc6dc448 100644
+--- a/tests/unit/scripting.tcl
++++ b/tests/unit/scripting.tcl
+@@ -590,6 +590,12 @@ start_server {tags {"scripting"}} {
+ set e
+ } {ERR *Attempt to modify a readonly table*}
+
++ test {lua bit.tohex bug} {
++ set res [run_script {return bit.tohex(65535, -2147483648)} 0]
++ r ping
++ set res
++ } {0000FFFF}
++
+ test {Test an example script DECR_IF_GT} {
+ set decr_if_gt {
+ local current
+--
+2.30.2
+
diff -Nru redis-7.0.15/debian/patches/series redis-7.0.15/debian/patches/series
--- redis-7.0.15/debian/patches/series 2024-01-16 12:13:26.000000000 +0200
+++ redis-7.0.15/debian/patches/series 2024-11-28 23:28:52.000000000 +0200
@@ -3,3 +3,4 @@
0002-Add-CPPFLAGS-to-upstream-makefiles.patch
0003-Use-get_current_dir_name-over-PATHMAX.patch
0004-Add-support-for-USE_SYSTEM_JEMALLOC-flag.patch
+0001-Apply-security-fixes-for-CVEs-1113.patch
--- End Message ---
--- Begin Message ---
Version: 12.9
This update has been released as part of 12.9. Thank you for your contribution.
--- End Message ---
