From 197cd6e85117f238c506c33f0323f0433b6c8edf Mon Sep 17 00:00:00 2001 From: yangweidong Date: Wed, 18 May 2022 14:19:29 +0800 Subject: [PATCH 1/3] fix CVE-2022-24736 --- CVE-2022-24736.patch | 38 ++++++++++++++++++++++++++++++++++++++ redis6.spec | 7 ++++++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-24736.patch diff --git a/CVE-2022-24736.patch b/CVE-2022-24736.patch new file mode 100644 index 0000000..bf7350c --- /dev/null +++ b/CVE-2022-24736.patch @@ -0,0 +1,38 @@ +diff -Naru redis-6.0.11/src/scripting.c redis-6.0.11-new/src/scripting.c +--- redis-6.0.11/src/scripting.c 2021-02-23 07:35:37.000000000 +0800 ++++ redis-6.0.11-new/src/scripting.c 2022-05-17 15:04:04.498095000 +0800 +@@ -558,6 +558,10 @@ + inuse--; + return raise_error ? luaRaiseError(lua) : 1; + } ++ ++ /* Pop all arguments from the stack, we do not need them anymore ++ * and this way we guaranty we will have room on the stack for the result. */ ++ lua_pop(lua, argc); + + /* Setup our fake client for command execution */ + c->argv = argv; +@@ -624,6 +628,7 @@ + * command marked as non-deterministic was already called in the context + * of this script. */ + if (cmd->flags & CMD_WRITE) { ++ /* Deny writes if we're unale to persist. */ + int deny_write_type = writeCommandsDeniedByDiskError(); + if (server.lua_random_dirty && !server.lua_replicate_commands) { + luaPushError(lua, +@@ -644,7 +649,14 @@ + strerror(server.aof_last_write_errno)); + luaPushError(lua, aof_write_err); + sdsfree(aof_write_err); +- } ++ } ++ goto cleanup; ++ } else if (server.masterhost == NULL && ++ server.repl_min_slaves_max_lag && ++ server.repl_min_slaves_to_write && ++ server.repl_good_slaves_count < server.repl_min_slaves_to_write) ++ { ++ luaPushError(lua, shared.noreplicaserr->ptr); + goto cleanup; + } + } diff --git a/redis6.spec b/redis6.spec index 4a8493f..0b6fddf 100644 --- a/redis6.spec +++ b/redis6.spec @@ -6,7 +6,7 @@ %global Pname redis Name: redis6 Version: 6.0.11 -Release: 6 +Release: 7 Summary: A persistent key-value database License: BSD and MIT URL: https://redis.io @@ -28,6 +28,7 @@ Patch0005: CVE-2021-32675.patch Patch0006: CVE-2021-41099.patch Patch0007: CVE-2021-32762.patch Patch0008: fix-help-info.patch +Patch0009: CVE-2022-24736.patch BuildRequires: make gcc %if %{with tests} BuildRequires: procps-ng tcl @@ -92,6 +93,7 @@ tar -xvf %{SOURCE10} %patch0005 -p1 %patch0006 -p1 %patch0007 -p1 +%patch0009 -p1 %endif %patch0008 -p1 mv ../%{Pname}-doc-%{doc_commit} doc @@ -222,6 +224,9 @@ fi %{_docdir}/%{Pname} %changelog +* Tue May 17 2022 yangweidong - 6.0.11-7 +- Fix help info + * Mon Dec 06 2021 caodongxia - 6.0.11-6 - Fix help info -- Gitee From 18398bcc50bd15f03b42101c94e5a9d3aaff2d4e Mon Sep 17 00:00:00 2001 From: yangweidong Date: Thu, 19 May 2022 09:18:30 +0800 Subject: [PATCH 2/3] fix CVE-2022-24736 --- redis6.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redis6.spec b/redis6.spec index 0b6fddf..b1077df 100644 --- a/redis6.spec +++ b/redis6.spec @@ -225,7 +225,7 @@ fi %changelog * Tue May 17 2022 yangweidong - 6.0.11-7 -- Fix help info +- Fix CVE-2022-24736 * Mon Dec 06 2021 caodongxia - 6.0.11-6 - Fix help info -- Gitee From c3357375316d90f4fce70dba3ab68f96c2634da5 Mon Sep 17 00:00:00 2001 From: yangweidong Date: Thu, 19 May 2022 10:34:42 +0800 Subject: [PATCH 3/3] fix CVE-2022-24736 --- CVE-2022-24736.patch | 22 ++++++++++------------ redis6.spec | 2 +- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/CVE-2022-24736.patch b/CVE-2022-24736.patch index bf7350c..da234a7 100644 --- a/CVE-2022-24736.patch +++ b/CVE-2022-24736.patch @@ -1,17 +1,17 @@ diff -Naru redis-6.0.11/src/scripting.c redis-6.0.11-new/src/scripting.c --- redis-6.0.11/src/scripting.c 2021-02-23 07:35:37.000000000 +0800 -+++ redis-6.0.11-new/src/scripting.c 2022-05-17 15:04:04.498095000 +0800 -@@ -558,6 +558,10 @@ - inuse--; ++++ redis-6.0.11-new/src/scripting.c 2022-05-19 10:04:29.828225000 +0800 +@@ -559,6 +559,10 @@ return raise_error ? luaRaiseError(lua) : 1; } -+ + + /* Pop all arguments from the stack, we do not need them anymore + * and this way we guaranty we will have room on the stack for the result. */ + lua_pop(lua, argc); - ++ /* Setup our fake client for command execution */ c->argv = argv; + c->argc = argc; @@ -624,6 +628,7 @@ * command marked as non-deterministic was already called in the context * of this script. */ @@ -20,19 +20,17 @@ diff -Naru redis-6.0.11/src/scripting.c redis-6.0.11-new/src/scripting.c int deny_write_type = writeCommandsDeniedByDiskError(); if (server.lua_random_dirty && !server.lua_replicate_commands) { luaPushError(lua, -@@ -644,7 +649,14 @@ - strerror(server.aof_last_write_errno)); - luaPushError(lua, aof_write_err); +@@ -646,6 +651,13 @@ sdsfree(aof_write_err); -- } -+ } -+ goto cleanup; + } + goto cleanup; + } else if (server.masterhost == NULL && + server.repl_min_slaves_max_lag && + server.repl_min_slaves_to_write && + server.repl_good_slaves_count < server.repl_min_slaves_to_write) + { + luaPushError(lua, shared.noreplicaserr->ptr); - goto cleanup; ++ goto cleanup; } } + diff --git a/redis6.spec b/redis6.spec index b1077df..2840101 100644 --- a/redis6.spec +++ b/redis6.spec @@ -224,7 +224,7 @@ fi %{_docdir}/%{Pname} %changelog -* Tue May 17 2022 yangweidong - 6.0.11-7 +* Thu May 19 2022 yangweidong - 6.0.11-7 - Fix CVE-2022-24736 * Mon Dec 06 2021 caodongxia - 6.0.11-6 -- Gitee