!114 [sync] PR-112: Fix CVE-2023-45145,CVE-2024-31228 and CVE-2024-31449

From: @openeuler-sync-bot Reviewed-by: @wang--ge Signed-off-by: @wang--ge
2024-10-16 02:12:11 +00:00 · 2024-10-16 02:12:11 +00:00 · 93a804d368
commit 93a804d368
parent 719b085193 49e43f38a6
4 changed files with 182 additions and 1 deletions
--- a/CVE-2023-45145.patch
+++ b/CVE-2023-45145.patch
@ -0,0 +1,66 @@
 From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001
 From: Yossi Gottlieb <yossigo@gmail.com>
 Date: Wed, 11 Oct 2023 22:45:34 +0300
 Subject: [PATCH] Fix issue of listen before chmod on Unix sockets
 (CVE-2023-45145)
 Before this commit, Unix socket setup performed chmod(2) on the socket
 file after calling listen(2). Depending on what umask is used, this
 could leave the file with the wrong permissions for a short period of
 time. As a result, another process could exploit this race condition and
 establish a connection that would otherwise not be possible.
 We now make sure the socket permissions are set up prior to calling
 listen(2).
 (cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42)
 ---
 src/anet.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)
 diff --git a/src/anet.c b/src/anet.c
 index dc88eb7..d0db80f 100644
 --- a/src/anet.c
 +++ b/src/anet.c
@@ -437,13 +437,16 @@ int anetWrite(int fd, char *buf, int count)
     return totlen;
 }
 -static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) {
 +static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) {
     if (bind(s,sa,len) == -1) {
         anetSetError(err, "bind: %s", strerror(errno));
         close(s);
         return ANET_ERR;
     }
 +    if (sa->sa_family == AF_LOCAL && perm)
 +        chmod(((struct sockaddr_un *) sa)->sun_path, perm);
 +
     if (listen(s, backlog) == -1) {
         anetSetError(err, "listen: %s", strerror(errno));
         close(s);
@@ -484,7 +487,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl
         if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error;
         if (anetSetReuseAddr(err,s) == ANET_ERR) goto error;
 -        if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR;
 +        if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR;
         goto end;
     }
     if (p == NULL) {
@@ -521,10 +524,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog)
     memset(&sa,0,sizeof(sa));
     sa.sun_family = AF_LOCAL;
     strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1);
 -    if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR)
 +    if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR)
         return ANET_ERR;
 -    if (perm)
 -        chmod(sa.sun_path, perm);
     return s;
 }
 -- 
 2.33.0
--- a/CVE-2024-31228.patch
+++ b/CVE-2024-31228.patch
@ -0,0 +1,63 @@
 From c8649f8e852d1dc388b5446e003bb0eefa33d61f Mon Sep 17 00:00:00 2001
 From: Oran Agra <oran@redislabs.com>
 Date: Wed, 2 Oct 2024 20:11:01 +0300
 Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228)
 ---
 src/util.c              | 9 ++++++---
 tests/unit/keyspace.tcl | 6 ++++++
 2 files changed, 12 insertions(+), 3 deletions(-)
 diff --git a/src/util.c b/src/util.c
 index 861ef67..0f5e8e1 100644
 --- a/src/util.c
 +++ b/src/util.c
@@ -45,8 +45,11 @@
 /* Glob-style pattern matching. */
 static int stringmatchlen_impl(const char *pattern, int patternLen,
 -        const char *string, int stringLen, int nocase, int *skipLongerMatches)
 +        const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting)
 {
 +    /* Protection against abusive patterns. */
 +    if (nesting > 1000) return 0;
 +
     while(patternLen && stringLen) {
         switch(pattern[0]) {
         case '*':
@@ -58,7 +61,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
                 return 1; /* match */
             while(stringLen) {
                if (stringmatchlen_impl(pattern+1, patternLen-1,
 -                            string, stringLen, nocase, skipLongerMatches))
 +                            string, stringLen, nocase, skipLongerMatches, nesting+1))
                     return 1; /* match */
                if (*skipLongerMatches)
                     return 0; /* no match */
@@ -181,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
 int stringmatchlen(const char *pattern, int patternLen,
         const char *string, int stringLen, int nocase) {
     int skipLongerMatches = 0;
 -    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
 +    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
 }
 int stringmatch(const char *pattern, const char *string, int nocase) {
 diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
 index 1617ac5..2217b29 100644
 --- a/tests/unit/keyspace.tcl
 +++ b/tests/unit/keyspace.tcl
@@ -278,4 +278,10 @@ start_server {tags {"keyspace"}} {
         r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
         r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
     } {}
 +
 +    test {Regression for pattern matching very long nested loops} {
 +        r flushdb
 +        r SET [string repeat "a" 50000] 1
 +        r KEYS [string repeat "*?" 50000]
 +    } {}
 }
 -- 
 2.33.0
--- a/CVE-2024-31449.patch
+++ b/CVE-2024-31449.patch
@ -0,0 +1,43 @@
 From fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Mon Sep 17 00:00:00 2001
 From: Oran Agra <oran@redislabs.com>
 Date: Wed, 2 Oct 2024 19:54:06 +0300
 Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449)
 INT_MIN value must be explicitly checked, and cannot be negated.
 ---
 deps/lua/src/lua_bit.c   | 1 +
 tests/unit/scripting.tcl | 6 ++++++
 2 files changed, 7 insertions(+)
 diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
 index 690df7d..a459ca9 100644
 --- a/deps/lua/src/lua_bit.c
 +++ b/deps/lua/src/lua_bit.c
@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L)
   const char *hexdigits = "0123456789abcdef";
   char buf[8];
   int i;
 +  if (n == INT32_MIN) n = INT32_MIN+1;
   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
   if (n > 8) n = 8;
   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
 diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
 index d747fa6..a7e1e9e 100644
 --- a/tests/unit/scripting.tcl
 +++ b/tests/unit/scripting.tcl
@@ -459,6 +459,12 @@ start_server {tags {"scripting"}} {
         set e
     } {*ERR*attempted to create global*}
 +    test {lua bit.tohex bug} {
 +        set res [run_script {return bit.tohex(65535, -2147483648)} 0]
 +        r ping
 +        set res
 +    } {0000FFFF}
 +
     test {Test an example script DECR_IF_GT} {
         set decr_if_gt {
             local current
 -- 
 2.33.0
--- a/redis.spec
+++ b/redis.spec
@ -1,6 +1,6 @@
 Name:           redis
 Version:        4.0.14
-Release:        6
+Release:        7
 Summary:        A persistent key-value database
 License:        BSD-3-Clause and MIT
 URL:            https://redis.io
@ -22,6 +22,9 @@ Patch0010:      CVE-2021-32672.patch
 Patch0011:      CVE-2022-36021.patch
 Patch0012:      CVE-2023-28856.patch
 Patch0013:      CVE-2022-24834.patch
 Patch0014:      CVE-2023-45145.patch
 Patch0015:      CVE-2024-31228.patch
 Patch0016:      CVE-2024-31449.patch
 BuildRequires:     systemd gcc
 Requires:          /bin/awk
@ -52,6 +55,9 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
 %patch0011 -p1
 %patch0012 -p1
 %patch0013 -p1
 %patch0014 -p1
 %patch0015 -p1
 %patch0016 -p1
 %ifarch loongarch64
 %_update_config_guess
 %_update_config_sub
@ -113,6 +119,9 @@ exit 0
 %{_unitdir}/%{name}-sentinel.service
 %changelog
 * Wed Oct 09 2024 yaoxin <yao_xin001@hoperun.com> - 4.0.14-7
 - Fix CVE-2023-45145,CVE-2024-31228 and CVE-2024-31449
 * Mon Jul 31 2023 wangkai <13474090681@163.com> - 4.0.14-6
 - Fix CVE-2022-24834