Skip to content

Commit 6608913

Browse files
azurelinux-securityazurelinux-security
committed
Patch redis for CVE-2025-48367, CVE-2025-32023
1 parent 0dee531 commit 6608913

File tree

3 files changed

+203
-1
lines changed

3 files changed

+203
-1
lines changed

SPECS/redis/CVE-2025-32023.patch

Lines changed: 151 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,151 @@
1+
From a459b0c22a8f53dbaa9f84e8320c4176a051cc23 Mon Sep 17 00:00:00 2001
2+
From: Azure Linux Security Servicing Account
3+
<[email protected]>
4+
Date: Wed, 9 Jul 2025 05:27:25 +0000
5+
Subject: [PATCH] Fix CVE CVE-2025-32023 in redis
6+
7+
Upstream Patch Reference: https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445.diff
8+
---
9+
src/hyperloglog.c | 47 ++++++++++++++++++++++++++++++++++++++++++-----
10+
1 file changed, 42 insertions(+), 5 deletions(-)
11+
12+
diff --git a/src/hyperloglog.c b/src/hyperloglog.c
13+
index 75a0422..7cabfa1 100644
14+
--- a/src/hyperloglog.c
15+
+++ b/src/hyperloglog.c
16+
@@ -586,6 +586,7 @@ int hllSparseToDense(robj *o) {
17+
struct hllhdr *hdr, *oldhdr = (struct hllhdr*)sparse;
18+
int idx = 0, runlen, regval;
19+
uint8_t *p = (uint8_t*)sparse, *end = p+sdslen(sparse);
20+
+ int valid = 1;
21+
22+
/* If the representation is already the right one return ASAP. */
23+
hdr = (struct hllhdr*) sparse;
24+
@@ -605,16 +606,27 @@ int hllSparseToDense(robj *o) {
25+
while(p < end) {
26+
if (HLL_SPARSE_IS_ZERO(p)) {
27+
runlen = HLL_SPARSE_ZERO_LEN(p);
28+
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
29+
+ valid = 0;
30+
+ break;
31+
+ }
32+
idx += runlen;
33+
p++;
34+
} else if (HLL_SPARSE_IS_XZERO(p)) {
35+
runlen = HLL_SPARSE_XZERO_LEN(p);
36+
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
37+
+ valid = 0;
38+
+ break;
39+
+ }
40+
idx += runlen;
41+
p += 2;
42+
} else {
43+
runlen = HLL_SPARSE_VAL_LEN(p);
44+
regval = HLL_SPARSE_VAL_VALUE(p);
45+
- if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */
46+
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
47+
+ valid = 0;
48+
+ break;
49+
+ }
50+
while(runlen--) {
51+
HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
52+
idx++;
53+
@@ -625,7 +637,7 @@ int hllSparseToDense(robj *o) {
54+
55+
/* If the sparse representation was valid, we expect to find idx
56+
* set to HLL_REGISTERS. */
57+
- if (idx != HLL_REGISTERS) {
58+
+ if (!valid || idx != HLL_REGISTERS) {
59+
sdsfree(dense);
60+
return C_ERR;
61+
}
62+
@@ -911,27 +923,40 @@ int hllSparseAdd(robj *o, unsigned char *ele, size_t elesize) {
63+
void hllSparseRegHisto(uint8_t *sparse, int sparselen, int *invalid, int* reghisto) {
64+
int idx = 0, runlen, regval;
65+
uint8_t *end = sparse+sparselen, *p = sparse;
66+
+ int valid = 1;
67+
68+
while(p < end) {
69+
if (HLL_SPARSE_IS_ZERO(p)) {
70+
runlen = HLL_SPARSE_ZERO_LEN(p);
71+
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
72+
+ valid = 0;
73+
+ break;
74+
+ }
75+
idx += runlen;
76+
reghisto[0] += runlen;
77+
p++;
78+
} else if (HLL_SPARSE_IS_XZERO(p)) {
79+
runlen = HLL_SPARSE_XZERO_LEN(p);
80+
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
81+
+ valid = 0;
82+
+ break;
83+
+ }
84+
idx += runlen;
85+
reghisto[0] += runlen;
86+
p += 2;
87+
} else {
88+
runlen = HLL_SPARSE_VAL_LEN(p);
89+
regval = HLL_SPARSE_VAL_VALUE(p);
90+
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
91+
+ valid = 0;
92+
+ break;
93+
+ }
94+
idx += runlen;
95+
reghisto[regval] += runlen;
96+
p++;
97+
}
98+
}
99+
- if (idx != HLL_REGISTERS && invalid) *invalid = 1;
100+
+ if ((!valid || idx != HLL_REGISTERS) && invalid) *invalid = 1;
101+
}
102+
103+
/* ========================= HyperLogLog Count ==============================
104+
@@ -1079,22 +1104,34 @@ int hllMerge(uint8_t *max, robj *hll) {
105+
} else {
106+
uint8_t *p = hll->ptr, *end = p + sdslen(hll->ptr);
107+
long runlen, regval;
108+
+ int valid = 1;
109+
110+
p += HLL_HDR_SIZE;
111+
i = 0;
112+
while(p < end) {
113+
if (HLL_SPARSE_IS_ZERO(p)) {
114+
runlen = HLL_SPARSE_ZERO_LEN(p);
115+
+ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
116+
+ valid = 0;
117+
+ break;
118+
+ }
119+
i += runlen;
120+
p++;
121+
} else if (HLL_SPARSE_IS_XZERO(p)) {
122+
runlen = HLL_SPARSE_XZERO_LEN(p);
123+
+ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
124+
+ valid = 0;
125+
+ break;
126+
+ }
127+
i += runlen;
128+
p += 2;
129+
} else {
130+
runlen = HLL_SPARSE_VAL_LEN(p);
131+
regval = HLL_SPARSE_VAL_VALUE(p);
132+
- if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */
133+
+ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
134+
+ valid = 0;
135+
+ break;
136+
+ }
137+
while(runlen--) {
138+
if (regval > max[i]) max[i] = regval;
139+
i++;
140+
@@ -1102,7 +1139,7 @@ int hllMerge(uint8_t *max, robj *hll) {
141+
p++;
142+
}
143+
}
144+
- if (i != HLL_REGISTERS) return C_ERR;
145+
+ if (!valid || i != HLL_REGISTERS) return C_ERR;
146+
}
147+
return C_OK;
148+
}
149+
--
150+
2.45.3
151+

SPECS/redis/CVE-2025-48367.patch

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
From db50861bc3a165659c3b04cf3be50d60ff7f6890 Mon Sep 17 00:00:00 2001
2+
From: Azure Linux Security Servicing Account
3+
<[email protected]>
4+
Date: Wed, 9 Jul 2025 05:27:36 +0000
5+
Subject: [PATCH] Fix CVE CVE-2025-48367 in redis
6+
7+
Upstream Patch Reference: https://github.com/redis/redis/commit/bde62951accfc4bb0a516276fd0b4b307e140ce2.diff
8+
---
9+
src/anet.c | 24 ++++++++++++++++++++++++
10+
1 file changed, 24 insertions(+)
11+
12+
diff --git a/src/anet.c b/src/anet.c
13+
index 91f6171..2e42fc5 100644
14+
--- a/src/anet.c
15+
+++ b/src/anet.c
16+
@@ -594,3 +594,27 @@ int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type) {
17+
anetFdToString(fd,ip,sizeof(ip),&port,fd_to_str_type);
18+
return anetFormatAddr(buf, buf_len, ip, port);
19+
}
20+
+
21+
+/* This function must be called after accept4() fails. It returns 1 if 'err'
22+
+ * indicates accepted connection faced an error, and it's okay to continue
23+
+ * accepting next connection by calling accept4() again. Other errors either
24+
+ * indicate programming errors, e.g. calling accept() on a closed fd or indicate
25+
+ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been
26+
+ * reached. In the latter case, caller might wait until resources are available.
27+
+ * See accept4() documentation for details. */
28+
+int anetAcceptFailureNeedsRetry(int err) {
29+
+ if (err == ECONNABORTED)
30+
+ return 1;
31+
+
32+
+#if defined(__linux__)
33+
+ /* For details, see 'Error Handling' section on
34+
+ * https://man7.org/linux/man-pages/man2/accept.2.html */
35+
+ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT ||
36+
+ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH ||
37+
+ err == EOPNOTSUPP || err == ENETUNREACH)
38+
+ {
39+
+ return 1;
40+
+ }
41+
+#endif
42+
+ return 0;
43+
+}
44+
--
45+
2.45.3
46+

SPECS/redis/redis.spec

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: advanced key-value store
22
Name: redis
33
Version: 6.2.18
4-
Release: 1%{?dist}
4+
Release: 2%{?dist}
55
License: BSD
66
Vendor: Microsoft Corporation
77
Distribution: Mariner
@@ -10,6 +10,8 @@ URL: https://redis.io/
1010
Source0: https://download.redis.io/releases/%{name}-%{version}.tar.gz
1111
Patch0: redis-conf.patch
1212
Patch1: disable_active_defrag_big_keys.patch
13+
Patch2: CVE-2025-48367.patch
14+
Patch3: CVE-2025-32023.patch
1315
BuildRequires: gcc
1416
BuildRequires: make
1517
BuildRequires: openssl-devel
@@ -84,6 +86,9 @@ exit 0
8486
%config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf
8587

8688
%changelog
89+
* Wed Jul 09 2025 Azure Linux Security Servicing Account <[email protected]> - 6.2.18-2
90+
- Patch for CVE-2025-48367, CVE-2025-32023
91+
8792
* Wed Apr 30 2025 CBL-Mariner Servicing Account <[email protected]> - 6.2.18-1
8893
- Auto-upgrade to 6.2.18 - for CVE-2025-21605
8994

0 commit comments

Comments
 (0)