mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

redis: handle CVE-2025-27151

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27151

In redis 7 this is already patched[1], and the recipe contains the
fix.
For redis 6 backport the relevant patch (which is referenced in the
nvd report)

[1]: https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Gyorgy Sarvari
2025-11-30 21:35:09 +01:00
committed by Anuj Mittal
parent ac19cd99a8
commit 8f602e1cfa
3 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-extended/redis/redis/CVE-2025-27151.patch
+32
View File
@@ -0,0 +1,32 @@
From 845233cecd6327a20957a97b78e61bccaaa652f7 Mon Sep 17 00:00:00 2001
From: YaacovHazan <yaacov.hazan@redis.com>
Date: Tue, 27 May 2025 10:23:27 +0300
Subject: [PATCH] Check length of AOF file name in redis-check-aof
(CVE-2025-27151)
Ensure that the length of the input file name does not exceed PATH_MAX
CVE: CVE-2025-27151
Upstream-Status: Backport [https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/redis-check-aof.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/redis-check-aof.c b/src/redis-check-aof.c
index 1507e0a..3961ac5 100644
--- a/src/redis-check-aof.c
+++ b/src/redis-check-aof.c
@@ -164,6 +164,12 @@ int redis_check_aof_main(int argc, char **argv) {
exit(1);
}
+ /* Check if filepath is longer than PATH_MAX */
+ if (strlen(filename) > PATH_MAX) {
+ printf("Error: filename is too long (exceeds PATH_MAX)\n");
+ exit(1);
+ }
+
FILE *fp = fopen(filename,"r+");
if (fp == NULL) {
printf("Cannot open file: %s\n", filename);
meta-oe/recipes-extended/redis/redis_6.2.21.bb
+2 -1
View File
@@ -16,7 +16,8 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://0004-src-Do-not-reset-FINAL_LIBS.patch \
file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \
file://0006-Define-correct-gregs-for-RISCV32.patch \
"
file://CVE-2025-27151.patch \
"
SRC_URI[sha256sum] = "6383b32ba8d246f41bbbb83663381f5a5f4c4713235433cec22fc4a47e9b6d5f"
meta-oe/recipes-extended/redis/redis_7.2.12.bb
+1
View File
@@ -71,3 +71,4 @@ SYSTEMD_SERVICE:${PN} = "redis.service"
CVE_STATUS[CVE-2022-3734] = "not-applicable-platform: CVE only applies for Windows."
CVE_STATUS[CVE-2022-0543] = "not-applicable-config: the vulnerability is not present in upstream, only in Debian-packaged versions"
CVE_STATUS[CVE-2025-27151] = "fixed-version: the used version(7.2.12) contains the fix"