diff --git a/SPECS/redis/CVE-2025-32023.patch b/SPECS/redis/CVE-2025-32023.patch new file mode 100644 index 00000000000..0ad7d373900 --- /dev/null +++ b/SPECS/redis/CVE-2025-32023.patch @@ -0,0 +1,151 @@ +From a459b0c22a8f53dbaa9f84e8320c4176a051cc23 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Wed, 9 Jul 2025 05:27:25 +0000 +Subject: [PATCH] Fix CVE CVE-2025-32023 in redis + +Upstream Patch Reference: https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445.diff +--- + src/hyperloglog.c | 47 ++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 42 insertions(+), 5 deletions(-) + +diff --git a/src/hyperloglog.c b/src/hyperloglog.c +index 75a0422..7cabfa1 100644 +--- a/src/hyperloglog.c ++++ b/src/hyperloglog.c +@@ -586,6 +586,7 @@ int hllSparseToDense(robj *o) { + struct hllhdr *hdr, *oldhdr = (struct hllhdr*)sparse; + int idx = 0, runlen, regval; + uint8_t *p = (uint8_t*)sparse, *end = p+sdslen(sparse); ++ int valid = 1; + + /* If the representation is already the right one return ASAP. */ + hdr = (struct hllhdr*) sparse; +@@ -605,16 +606,27 @@ int hllSparseToDense(robj *o) { + while(p < end) { + if (HLL_SPARSE_IS_ZERO(p)) { + runlen = HLL_SPARSE_ZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + p++; + } else if (HLL_SPARSE_IS_XZERO(p)) { + runlen = HLL_SPARSE_XZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + p += 2; + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); +- if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */ ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + while(runlen--) { + HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval); + idx++; +@@ -625,7 +637,7 @@ int hllSparseToDense(robj *o) { + + /* If the sparse representation was valid, we expect to find idx + * set to HLL_REGISTERS. */ +- if (idx != HLL_REGISTERS) { ++ if (!valid || idx != HLL_REGISTERS) { + sdsfree(dense); + return C_ERR; + } +@@ -911,27 +923,40 @@ int hllSparseAdd(robj *o, unsigned char *ele, size_t elesize) { + void hllSparseRegHisto(uint8_t *sparse, int sparselen, int *invalid, int* reghisto) { + int idx = 0, runlen, regval; + uint8_t *end = sparse+sparselen, *p = sparse; ++ int valid = 1; + + while(p < end) { + if (HLL_SPARSE_IS_ZERO(p)) { + runlen = HLL_SPARSE_ZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + reghisto[0] += runlen; + p++; + } else if (HLL_SPARSE_IS_XZERO(p)) { + runlen = HLL_SPARSE_XZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + reghisto[0] += runlen; + p += 2; + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + reghisto[regval] += runlen; + p++; + } + } +- if (idx != HLL_REGISTERS && invalid) *invalid = 1; ++ if ((!valid || idx != HLL_REGISTERS) && invalid) *invalid = 1; + } + + /* ========================= HyperLogLog Count ============================== +@@ -1079,22 +1104,34 @@ int hllMerge(uint8_t *max, robj *hll) { + } else { + uint8_t *p = hll->ptr, *end = p + sdslen(hll->ptr); + long runlen, regval; ++ int valid = 1; + + p += HLL_HDR_SIZE; + i = 0; + while(p < end) { + if (HLL_SPARSE_IS_ZERO(p)) { + runlen = HLL_SPARSE_ZERO_LEN(p); ++ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + i += runlen; + p++; + } else if (HLL_SPARSE_IS_XZERO(p)) { + runlen = HLL_SPARSE_XZERO_LEN(p); ++ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + i += runlen; + p += 2; + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); +- if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */ ++ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + while(runlen--) { + if (regval > max[i]) max[i] = regval; + i++; +@@ -1102,7 +1139,7 @@ int hllMerge(uint8_t *max, robj *hll) { + p++; + } + } +- if (i != HLL_REGISTERS) return C_ERR; ++ if (!valid || i != HLL_REGISTERS) return C_ERR; + } + return C_OK; + } +-- +2.45.3 + diff --git a/SPECS/redis/CVE-2025-48367.patch b/SPECS/redis/CVE-2025-48367.patch new file mode 100644 index 00000000000..a3a19916604 --- /dev/null +++ b/SPECS/redis/CVE-2025-48367.patch @@ -0,0 +1,46 @@ +From db50861bc3a165659c3b04cf3be50d60ff7f6890 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Wed, 9 Jul 2025 05:27:36 +0000 +Subject: [PATCH] Fix CVE CVE-2025-48367 in redis + +Upstream Patch Reference: https://github.com/redis/redis/commit/bde62951accfc4bb0a516276fd0b4b307e140ce2.diff +--- + src/anet.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/anet.c b/src/anet.c +index 91f6171..2e42fc5 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -594,3 +594,27 @@ int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type) { + anetFdToString(fd,ip,sizeof(ip),&port,fd_to_str_type); + return anetFormatAddr(buf, buf_len, ip, port); + } ++ ++/* This function must be called after accept4() fails. It returns 1 if 'err' ++ * indicates accepted connection faced an error, and it's okay to continue ++ * accepting next connection by calling accept4() again. Other errors either ++ * indicate programming errors, e.g. calling accept() on a closed fd or indicate ++ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been ++ * reached. In the latter case, caller might wait until resources are available. ++ * See accept4() documentation for details. */ ++int anetAcceptFailureNeedsRetry(int err) { ++ if (err == ECONNABORTED) ++ return 1; ++ ++#if defined(__linux__) ++ /* For details, see 'Error Handling' section on ++ * https://man7.org/linux/man-pages/man2/accept.2.html */ ++ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT || ++ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH || ++ err == EOPNOTSUPP || err == ENETUNREACH) ++ { ++ return 1; ++ } ++#endif ++ return 0; ++} +-- +2.45.3 + diff --git a/SPECS/redis/redis.spec b/SPECS/redis/redis.spec index 7c38f945cb1..bdea421b06a 100644 --- a/SPECS/redis/redis.spec +++ b/SPECS/redis/redis.spec @@ -1,7 +1,7 @@ Summary: advanced key-value store Name: redis Version: 6.2.18 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -10,6 +10,8 @@ URL: https://redis.io/ Source0: https://download.redis.io/releases/%{name}-%{version}.tar.gz Patch0: redis-conf.patch Patch1: disable_active_defrag_big_keys.patch +Patch2: CVE-2025-48367.patch +Patch3: CVE-2025-32023.patch BuildRequires: gcc BuildRequires: make BuildRequires: openssl-devel @@ -84,6 +86,9 @@ exit 0 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf %changelog +* Wed Jul 09 2025 Azure Linux Security Servicing Account - 6.2.18-2 +- Patch for CVE-2025-48367, CVE-2025-32023 + * Wed Apr 30 2025 CBL-Mariner Servicing Account - 6.2.18-1 - Auto-upgrade to 6.2.18 - for CVE-2025-21605