diff --git a/CVE-2023-45145.patch b/CVE-2023-45145.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f0882c058a5e169f01d1bea90b653dc223346ad --- /dev/null +++ b/CVE-2023-45145.patch @@ -0,0 +1,66 @@ +From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001 +From: Yossi Gottlieb +Date: Wed, 11 Oct 2023 22:45:34 +0300 +Subject: [PATCH] Fix issue of listen before chmod on Unix sockets + (CVE-2023-45145) + +Before this commit, Unix socket setup performed chmod(2) on the socket +file after calling listen(2). Depending on what umask is used, this +could leave the file with the wrong permissions for a short period of +time. As a result, another process could exploit this race condition and +establish a connection that would otherwise not be possible. + +We now make sure the socket permissions are set up prior to calling +listen(2). + +(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42) +--- + src/anet.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/anet.c b/src/anet.c +index a121c27..91f6171 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -397,13 +397,16 @@ int anetUnixGenericConnect(char *err, const char *path, int flags) + return s; + } + +-static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) { ++static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) { + if (bind(s,sa,len) == -1) { + anetSetError(err, "bind: %s", strerror(errno)); + close(s); + return ANET_ERR; + } + ++ if (sa->sa_family == AF_LOCAL && perm) ++ chmod(((struct sockaddr_un *) sa)->sun_path, perm); ++ + if (listen(s, backlog) == -1) { + anetSetError(err, "listen: %s", strerror(errno)); + close(s); +@@ -447,7 +450,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl + + if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error; + if (anetSetReuseAddr(err,s) == ANET_ERR) goto error; +- if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR; ++ if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR; + goto end; + } + if (p == NULL) { +@@ -484,10 +487,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog) + memset(&sa,0,sizeof(sa)); + sa.sun_family = AF_LOCAL; + strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1); +- if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR) ++ if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR) + return ANET_ERR; +- if (perm) +- chmod(sa.sun_path, perm); + return s; + } + +-- +2.33.0 + diff --git a/redis6.spec b/redis6.spec index ea0ae4ca6ad42942e48144bd87c3c9cf7b4b1c41..06e3c2e48b910c780ca64b84b6542616a6ccbd6b 100644 --- a/redis6.spec +++ b/redis6.spec @@ -6,7 +6,7 @@ %global Pname redis Name: redis6 Version: 6.2.7 -Release: 3 +Release: 4 Summary: A persistent key-value database License: BSD and MIT URL: https://redis.io @@ -23,6 +23,7 @@ Patch0001: Modify-aarch64-architecture-jemalloc-page-size-from-from-4k Patch0003: Add-loongarch64-support.patch Patch0004: Update-config.guess-and-config.sub.patch Patch0005: add-sw_64-support.patch +Patch0006: CVE-2023-45145.patch BuildRequires: make gcc %if %{with tests} @@ -90,6 +91,7 @@ tar -xvf %{SOURCE10} %ifarch sw_64 %patch0005 -p1 %endif +%patch0006 -p1 mv ../%{Pname}-doc-%{doc_commit} doc mv deps/lua/COPYRIGHT COPYRIGHT-lua mv deps/jemalloc/COPYING COPYING-jemalloc @@ -218,6 +220,9 @@ fi %{_docdir}/%{Pname} %changelog +* Mon Dec 25 2023 liuhaipeng - 6.2.7-4 +- Fix CVE-2023-45145 + * Sat Aug 12 2023 panchenbo - 6.2.7-3 - add sw_64 support