mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

redis: fix CVE-2021-29477

Browse Source 
This patch backports the fix for CVE-2021-29477.

CVE: CVE-2021-29477
Upstream-Status: Backport
[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]

An integer overflow bug in Redis version 6.0 or newer could be exploited using
the STRALGO LCS command to corrupt the heap and potentially result with remote
code execution.

Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Tony Tascioglu
2021-07-16 11:47:32 -07:00
committed by Armin Kuster
parent 98e00710b7
commit 5865a76847
2 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
+35
View File
@@ -0,0 +1,35 @@
From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Mon, 3 May 2021 08:32:31 +0300
Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
An integer overflow bug in Redis version 6.0 or newer could be exploited using
the STRALGO LCS command to corrupt the heap and potentially result with remote
code execution.
CVE: CVE-2021-29477
Upstream-Status: Backport
[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
---
src/t_string.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/t_string.c b/src/t_string.c
index 9228c5ed0..db6f7042e 100644
--- a/src/t_string.c
+++ b/src/t_string.c
@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
/* Setup an uint32_t array to store at LCS[i,j] the length of the
* LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
* we index it as LCS[j+(blen+1)*j] */
- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
+ uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
#define LCS(A,B) lcs[(B)+((A)*(blen+1))]
/* Start building the LCS table. */
--
2.32.0
meta-oe/recipes-extended/redis/redis_6.2.2.bb
+1
View File
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://0001-src-Do-not-reset-FINAL_LIBS.patch \
file://GNU_SOURCE.patch \
file://0006-Define-correct-gregs-for-RISCV32.patch \
file://fix-CVE-2021-29477.patch \
"
SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"