Your message dated Fri, 13 Jun 2025 20:41:52 +0000
with message-id <[email protected]>
and subject line unblock valkey
has caused the Debian Bug report #1107747,
regarding unblock: valkey/8.1.1+dfsg1-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1107747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107747
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:valkey
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: unblock
Severity: normal
Please unblock package valkey
[ Reason ]
This version contains a fix for CVE-2025-49112.
[ Impact ]
There will be a security vulnerability affecting users (although not
high severity).
[ Tests ]
The upstream tests are passing.
[ Risks ]
The patch is one liner and it was well tested by upstream and users
(#1107210). The risk of a regression is pretty low IMHO.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock valkey/8.1.1+dfsg1-2
diff -Nru valkey-8.1.1+dfsg1/debian/changelog valkey-8.1.1+dfsg1/debian/changelog
--- valkey-8.1.1+dfsg1/debian/changelog 2025-06-09 05:47:39.000000000 -0300
+++ valkey-8.1.1+dfsg1/debian/changelog 2025-06-12 14:42:42.000000000 -0300
@@ -1,3 +1,12 @@
+valkey (8.1.1+dfsg1-2) unstable; urgency=medium
+
+ * Fix CVE-2025-49112 (Closes: #1107210)
+ setDeferredReply in networking.c in Valkey through 8.1.1 has an integer
+ underflow for prev->size - prev->used.
+ - d/p/CVE-2025-49112.patch
+
+ -- Lucas Kanashiro <[email protected]> Thu, 12 Jun 2025 14:42:42 -0300
+
valkey (8.1.1+dfsg1-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch
--- valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch 1969-12-31 21:00:00.000000000 -0300
+++ valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch 2025-06-12 14:40:26.000000000 -0300
@@ -0,0 +1,49 @@
+From: Zeroday BYTE <[email protected]>
+Date: Mon, 26 May 2025 18:57:00 +0700
+Subject: Fix unsigned difference expression compared to zero (#2101)
+
+https://github.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886-L886
+
+Fix the issue need to ensure that the subtraction `prev->size -
+prev->used` does not underflow. This can be achieved by explicitly
+checking that `prev->used` is less than `prev->size` before performing
+the subtraction. This approach avoids relying on unsigned arithmetic and
+ensures the logic is clear and robust.
+
+The specific changes are:
+1. Replace the condition `prev->size - prev->used > 0` with `prev->used
+< prev->size`.
+2. This change ensures that the logic checks whether there is remaining
+space in the buffer without risking underflow.
+
+**References**
+[INT02-C. Understand integer conversion
+rules](https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules)
+[CWE-191](https://cwe.mitre.org/data/definitions/191.html)
+
+---
+
+Signed-off-by: Zeroday BYTE <[email protected]>
+
+Reviewed-By: Trupti <[email protected]>,
+ Lucas Kanashiro <[email protected]>
+Origin: upstream, https://github.com/valkey-io/valkey/commit/374718b2a365ca
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107210
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-49112
+---
+ src/networking.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/networking.c b/src/networking.c
+index 8d0af29..0b54308 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -859,7 +859,7 @@ void setDeferredReply(client *c, void *node, const char *s, size_t length) {
+ * - It has enough room already allocated
+ * - And not too large (avoid large memmove)
+ * - And the client is not in a pending I/O state */
+- if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->size - prev->used > 0 &&
++ if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->used < prev->size &&
+ c->io_write_state != CLIENT_PENDING_IO) {
+ size_t len_to_copy = prev->size - prev->used;
+ if (len_to_copy > length) len_to_copy = length;
diff -Nru valkey-8.1.1+dfsg1/debian/patches/series valkey-8.1.1+dfsg1/debian/patches/series
--- valkey-8.1.1+dfsg1/debian/patches/series 2025-06-09 05:47:39.000000000 -0300
+++ valkey-8.1.1+dfsg1/debian/patches/series 2025-06-12 14:40:26.000000000 -0300
@@ -4,3 +4,4 @@
0003-Use-get_current_dir_name-over-PATHMAX.patch
0004-Add-support-for-USE_SYSTEM_JEMALLOC-flag.patch
0005-Incorporate-Redis-CVE-for-CVE-2025-27151-2146.patch
+CVE-2025-49112.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Unblocked valkey.
--- End Message ---
