From 451793502e6ccc1e7a764bb73dff690c754d034d Mon Sep 17 00:00:00 2001 From: dengyuyu01 Date: Thu, 19 May 2022 10:25:50 +0800 Subject: [PATCH] fix CVE-2022-24736 (cherry picked from commit b62f20bf5aa0139745ad63aecacb6631991b800a) --- CVE-2022-24736.patch | 60 ++++++++++++++++++++++++++++++++++++++++++++ redis5.spec | 7 +++++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-24736.patch diff --git a/CVE-2022-24736.patch b/CVE-2022-24736.patch new file mode 100644 index 0000000..23efe6e --- /dev/null +++ b/CVE-2022-24736.patch @@ -0,0 +1,60 @@ +diff -Naru redis-5.0.14/deps/lua/src/ldebug.c redis-5.0.14-new/deps/lua/src/ldebug.c +--- redis-5.0.14/deps/lua/src/ldebug.c 2021-10-04 18:58:43.000000000 +0800 ++++ redis-5.0.14-new/deps/lua/src/ldebug.c 2022-05-16 11:01:09.877613000 +0800 +@@ -80,7 +80,6 @@ + return L->basehookcount; + } + +- + LUA_API int lua_getstack (lua_State *L, int level, lua_Debug *ar) { + int status; + CallInfo *ci; +diff -Naru redis-5.0.14/deps/lua/src/lobject.h redis-5.0.14-new/deps/lua/src/lobject.h +--- redis-5.0.14/deps/lua/src/lobject.h 2021-10-04 18:58:43.000000000 +0800 ++++ redis-5.0.14-new/deps/lua/src/lobject.h 2022-05-16 11:03:06.374928000 +0800 +@@ -337,7 +337,8 @@ + + typedef struct Table { + CommonHeader; +- lu_byte flags; /* 1<

array = NULL; + t->sizearray = 0; + t->lsizenode = 0; ++ t->readonly = 0; + t->node = cast(Node *, dummynode); + setarrayvector(L, t, narray); + setnodevector(L, t, nhash); +diff -Naru redis-5.0.14/deps/lua/src/lua.h redis-5.0.14-new/deps/lua/src/lua.h +--- redis-5.0.14/deps/lua/src/lua.h 2021-10-04 18:58:43.000000000 +0800 ++++ redis-5.0.14-new/deps/lua/src/lua.h 2022-05-16 11:06:52.052521000 +0800 +@@ -358,6 +358,9 @@ + int i_ci; /* active function */ + }; + ++ LUA_API void lua_enablereadonlytable (lua_State *L, int index, int enabled); ++ LUA_API int lua_isreadonlytable (lua_State *L, int index); ++ + /* }====================================================================== */ + + +diff -Naru redis-5.0.14/deps/lua/src/lvm.c redis-5.0.14-new/deps/lua/src/lvm.c +--- redis-5.0.14/deps/lua/src/lvm.c 2021-10-04 18:58:43.000000000 +0800 ++++ redis-5.0.14-new/deps/lua/src/lvm.c 2022-05-16 11:14:26.356619000 +0800 +@@ -138,6 +138,8 @@ + const TValue *tm; + if (ttistable(t)) { /* `t' is a table? */ + Table *h = hvalue(t); ++ if (h->readonly) ++ luaG_runerror(L, "Attempt to modify a readonly table"); + TValue *oldval = luaH_set(L, h, key); /* do a primitive set */ + if (!ttisnil(oldval) || /* result is no nil? */ + (tm = fasttm(L, h->metatable, TM_NEWINDEX)) == NULL) { /* or no TM? */ diff --git a/redis5.spec b/redis5.spec index 16c0ab4..72747b8 100644 --- a/redis5.spec +++ b/redis5.spec @@ -6,7 +6,7 @@ %global Pname redis Name: redis5 Version: 5.0.14 -Release: 2 +Release: 3 Summary: A persistent key-value database License: BSD and MIT URL: https://redis.io @@ -24,6 +24,7 @@ Source10: https://github.com/antirez/%{Pname}-doc/archive/%{doc_commi Patch0001: Modify-aarch64-architecture-jemalloc-page-size-from-from-4k-to-64k.patch Patch0002: Fix-display-error-message.patch +Patch0003: CVE-2022-24736.patch BuildRequires: gcc %if %{with tests} @@ -85,6 +86,7 @@ tar -xvf %{SOURCE10} %patch0001 -p1 %endif %patch0002 -p1 +%patch0003 -p1 mv ../%{Pname}-doc-%{doc_commit} doc mv deps/lua/COPYRIGHT COPYRIGHT-lua mv deps/hiredis/COPYING COPYING-hiredis @@ -189,6 +191,9 @@ exit 0 %{_docdir}/%{Pname} %changelog +* Thu May 19 2022 dengyuyu - 5.0.14-3 +- Fix CVE-2022-24736 + * Sat Dec 04 2021 xu_ping - 5.0.14-2 - Fix display error message -- Gitee