From 06dcc2f2509346102e52a50f5a998798af3544eb Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Thu, 5 Jun 2025 15:36:28 +0800 Subject: [PATCH] Fix CVE-2025-49112 (cherry picked from commit 92e62a841e5c88b9c3fbbecbd6d189671dddc26a) --- CVE-2025-49112.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++ redis.spec | 9 ++++++-- 2 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 CVE-2025-49112.patch diff --git a/CVE-2025-49112.patch b/CVE-2025-49112.patch new file mode 100644 index 0000000..6ef2a57 --- /dev/null +++ b/CVE-2025-49112.patch @@ -0,0 +1,50 @@ +From 374718b2a365ca69f715d542709b7d71540b1387 Mon Sep 17 00:00:00 2001 +From: Zeroday BYTE +Date: Mon, 26 May 2025 18:57:00 +0700 +Subject: [PATCH] Fix unsigned difference expression compared to zero (#2101) + +Origin: https://github.com/valkey-io/valkey/commit/374718b2a365ca69f715d542709b7d71540b1387 + +https://github.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886-L886 + +Fix the issue need to ensure that the subtraction `prev->size - +prev->used` does not underflow. This can be achieved by explicitly +checking that `prev->used` is less than `prev->size` before performing +the subtraction. This approach avoids relying on unsigned arithmetic and +ensures the logic is clear and robust. + +The specific changes are: +1. Replace the condition `prev->size - prev->used > 0` with `prev->used +< prev->size`. +2. This change ensures that the logic checks whether there is remaining +space in the buffer without risking underflow. + +**References** +[INT02-C. Understand integer conversion +rules](https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules) +[CWE-191](https://cwe.mitre.org/data/definitions/191.html) + + +--- + +Signed-off-by: Zeroday BYTE +--- + src/networking.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/networking.c b/src/networking.c +index eb0b389..860fd89 100644 +--- a/src/networking.c ++++ b/src/networking.c +@@ -780,7 +780,7 @@ void setDeferredReply(client *c, void *node, const char *s, size_t length) { + * - It has enough room already allocated + * - And not too large (avoid large memmove) */ + if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && +- prev->size - prev->used > 0) ++ prev->used < prev->size) + { + size_t len_to_copy = prev->size - prev->used; + if (len_to_copy > length) +-- +2.49.0 + diff --git a/redis.spec b/redis.spec index 3a8edc5..45f2605 100644 --- a/redis.spec +++ b/redis.spec @@ -7,7 +7,7 @@ Name: redis Version: 7.2.9 -Release: 1 +Release: 2 Summary: A persistent key-value database # redis, hiredis: BSD-3-Clause # hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause @@ -24,7 +24,8 @@ Source5: macros.%{name} Source6: https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/%{name}-doc-%{short_doc_commit}.tar.gz # https://github.com/redis/redis/pull/3491 - man pages Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch -Patch0002: 0002-add-sw_64-support.patch +Patch0002: 0002-add-sw_64-support.patch +Patch0003: CVE-2025-49112.patch BuildRequires: systemd BuildRequires: systemd-devel @@ -51,6 +52,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s mv ../%{name}-doc-%{doc_commit} doc %patch -P0001 -p1 %patch -P0002 -p1 +%patch -P0003 -p1 mv deps/lua/COPYRIGHT COPYRIGHT-lua mv deps/jemalloc/COPYING COPYING-jemalloc @@ -194,6 +196,9 @@ exit 0 %{_docdir}/%{name} %changelog +* Thu Jun 05 2025 wangkai <13474090681@163.com> - 7.2.9-2 +- Fix CVE-2025-49112 + * Wed May 28 2025 Funda Wang - 7.2.9-1 - update to 7.2.9 to fix CVE-2025-27151 -- Gitee