From 199fa603ec3cb1f28f98a500d41c9955009c803c Mon Sep 17 00:00:00 2001 From: liujing Date: Mon, 25 Dec 2023 17:25:59 +0800 Subject: [PATCH] [Backport]redis5:fix CVE-2023-45145 CVE:CVE-2023-45145 Reference:https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc Type:CVE reason:Fix CVE-2023-45145 --- Fix-CVE-2023-45145.patch | 66 ++++++++++++++++++++++++++++++++++++++++ redis5.spec | 7 ++++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 Fix-CVE-2023-45145.patch diff --git a/Fix-CVE-2023-45145.patch b/Fix-CVE-2023-45145.patch new file mode 100644 index 0000000..c351cc9 --- /dev/null +++ b/Fix-CVE-2023-45145.patch @@ -0,0 +1,66 @@ +From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001 +From: Yossi Gottlieb +Date: Wed, 11 Oct 2023 22:45:34 +0300 +Subject: [PATCH] Fix issue of listen before chmod on Unix sockets + (CVE-2023-45145) + +Before this commit, Unix socket setup performed chmod(2) on the socket +file after calling listen(2). Depending on what umask is used, this +could leave the file with the wrong permissions for a short period of +time. As a result, another process could exploit this race condition and +establish a connection that would otherwise not be possible. + +We now make sure the socket permissions are set up prior to calling +listen(2). + +(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42) +--- + src/anet.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/anet.c b/src/anet.c +index 4ea201df5..10840fca2 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -407,13 +407,16 @@ int anetUnixGenericConnect(char *err, const char *path, int flags) + return s; + } + +-static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) { ++static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) { + if (bind(s,sa,len) == -1) { + anetSetError(err, "bind: %s", strerror(errno)); + close(s); + return ANET_ERR; + } + ++ if (sa->sa_family == AF_LOCAL && perm) ++ chmod(((struct sockaddr_un *) sa)->sun_path, perm); ++ + if (listen(s, backlog) == -1) { + anetSetError(err, "listen: %s", strerror(errno)); + close(s); +@@ -457,7 +460,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl + + if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error; + if (anetSetReuseAddr(err,s) == ANET_ERR) goto error; +- if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR; ++ if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR; + goto end; + } + if (p == NULL) { +@@ -498,10 +501,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog) + memset(&sa,0,sizeof(sa)); + sa.sun_family = AF_LOCAL; + strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1); +- if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR) ++ if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR) + return ANET_ERR; +- if (perm) +- chmod(sa.sun_path, perm); + return s; + } + +-- +2.42.0.2 + diff --git a/redis5.spec b/redis5.spec index 9643013..d8da333 100644 --- a/redis5.spec +++ b/redis5.spec @@ -6,7 +6,7 @@ %global Pname redis Name: redis5 Version: 5.0.7 -Release: 6 +Release: 7 Summary: A persistent key-value database License: BSD and MIT URL: https://redis.io @@ -27,6 +27,7 @@ Patch0002: Fix-redis5-gcc-10.patch Patch0003: Add-loongarch64-support.patch Patch0004: Update-config.guess-and-config.sub.patch Patch0005: add-sw_64-support.patch +Patch0006: Fix-CVE-2023-45145.patch BuildRequires: gcc %if %{with tests} @@ -95,6 +96,7 @@ tar -xvf %{SOURCE10} %ifarch sw_64 %patch0005 -p1 %endif +%patch0006 -p1 mv ../%{Pname}-doc-%{doc_commit} doc mv deps/lua/COPYRIGHT COPYRIGHT-lua mv deps/hiredis/COPYING COPYING-hiredis @@ -199,6 +201,9 @@ exit 0 %{_docdir}/%{Pname} %changelog +* Mon Dec 25 2023 liujing - 5.0.7-7 +- Fix CVE-2023-45145 + * Sat Aug 12 2023 panchenbo - 5.0.7-6 - add sw_64 support -- Gitee