From a1850328d2ebf927b39a4153fff5aa5772704324 Mon Sep 17 00:00:00 2001
From: mengwenhua <mengwenhua@xfusion.com>
Date: Thu, 21 Dec 2023 01:01:15 +0800
Subject: [PATCH] fix CVE-2023-28856

Signed-off-by: mengwenhua <mengwenhua@xfusion.com>
---
 backport-CVE-2023-28856.patch | 49 +++++++++++++++++++++++++++++++++++
 redis5.spec                   |  7 ++++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-28856.patch

diff --git a/backport-CVE-2023-28856.patch b/backport-CVE-2023-28856.patch
new file mode 100644
index 0000000..43ceb81
--- /dev/null
+++ b/backport-CVE-2023-28856.patch
@@ -0,0 +1,49 @@
+From c924ac3fdf8fe544891dc66c88018e259ee4be87 Mon Sep 17 00:00:00 2001
+From: chendianqiang <c.d_q@163.com>
+Date: Sun, 28 Aug 2022 16:33:41 +0800
+Subject: [PATCH] fix hincrbyfloat not to create a key if the new value is
+ invalid (#11149)
+
+Check the validity of the value before performing the create operation,
+prevents new data from being generated even if the request fails to execute.
+
+Co-authored-by: Oran Agra <oran@redislabs.com>
+Co-authored-by: chendianqiang <chendianqiang@meituan.com>
+Co-authored-by: Binbin <binloveplay1314@qq.com>
+(cherry picked from commit bc7fe41e5857a0854d524e2a63a028e9394d2a5c)
+(cherry picked from commit 606a385935363ea46c0df4f40f8a949d85f7a20a)
+(cherry picked from commit 7df23a5f51488ce002411c9d24b38520ad67b764)
+---
+ src/t_hash.c             | 4 ++++
+ tests/unit/type/hash.tcl | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/src/t_hash.c b/src/t_hash.c
+index 3cdfdd169abf..13e65502f145 100644
+--- a/src/t_hash.c
++++ b/src/t_hash.c
+@@ -605,6 +605,10 @@ void hincrbyfloatCommand(client *c) {
+     unsigned int vlen;
+ 
+     if (getLongDoubleFromObjectOrReply(c,c->argv[3],&incr,NULL) != C_OK) return;
++    if (isnan(incr) || isinf(incr)) {
++        addReplyError(c,"value is NaN or Infinity");
++        return;
++    }
+     if ((o = hashTypeLookupWriteOrCreate(c,c->argv[1])) == NULL) return;
+     if (hashTypeGetValue(o,c->argv[2]->ptr,&vstr,&vlen,&ll) == C_OK) {
+         if (vstr) {
+diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl
+index 9f8a21b1ce11..931662989d82 100644
+--- a/tests/unit/type/hash.tcl
++++ b/tests/unit/type/hash.tcl
+@@ -540,4 +540,9 @@ start_server {tags {"hash"}} {
+             assert {[r hincrbyfloat myhash float -0.1] eq {1.9}}
+         }
+     }
++
++    test {HINCRBYFLOAT does not allow NaN or Infinity} {
++        assert_error "*value is NaN or Infinity*" {r hincrbyfloat hfoo field +inf}
++        assert_equal 0 [r exists hfoo]
++    }
+ }
diff --git a/redis5.spec b/redis5.spec
index 9643013..f937df6 100644
--- a/redis5.spec
+++ b/redis5.spec
@@ -6,7 +6,7 @@
 %global Pname redis
 Name:                redis5
 Version:             5.0.7
-Release:             6
+Release:             7
 Summary:             A persistent key-value database
 License:             BSD and MIT
 URL:                 https://redis.io
@@ -27,6 +27,7 @@ Patch0002:           Fix-redis5-gcc-10.patch
 Patch0003:           Add-loongarch64-support.patch
 Patch0004:           Update-config.guess-and-config.sub.patch
 Patch0005:           add-sw_64-support.patch
+Patch6000:           backport-CVE-2023-28856.patch
 
 BuildRequires:       gcc
 %if %{with tests}
@@ -95,6 +96,7 @@ tar -xvf  %{SOURCE10}
 %ifarch sw_64
 %patch0005 -p1
 %endif
+%patch6000 -p1
 mv ../%{Pname}-doc-%{doc_commit} doc
 mv deps/lua/COPYRIGHT    COPYRIGHT-lua
 mv deps/hiredis/COPYING  COPYING-hiredis
@@ -199,6 +201,9 @@ exit 0
 %{_docdir}/%{Pname}
 
 %changelog
+* Thu Dec 21 2023 mengwenhua <mengwenhua@xfusion.com> - 5.0.7-7
+- fix CVE-2023-28856
+
 * Sat Aug 12 2023 panchenbo <panchenbo@kylinsec.com.cn> - 5.0.7-6
 - add sw_64 support
 
-- 
Gitee