From 0961f69175b086da1f7c13292926a51d0a0df7c1 Mon Sep 17 00:00:00 2001
From: lizhipeng <lizhipeng@kylinos.cn>
Date: Wed, 8 Oct 2025 00:19:48 +0800
Subject: [PATCH] fix CVE-2025-49844

Signed-off-by: lizhipeng <lizhipeng@kylinos.cn>
---
 fix-CVE-2025-49844.patch | 35 +++++++++++++++++++++++++++++++++++
 redis.spec               |  6 +++++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 fix-CVE-2025-49844.patch

diff --git a/fix-CVE-2025-49844.patch b/fix-CVE-2025-49844.patch
new file mode 100644
index 0000000..2029dfb
--- /dev/null
+++ b/fix-CVE-2025-49844.patch
@@ -0,0 +1,35 @@
+From d5728cb5795c966c5b5b1e0f0ac576a7e69af539 Mon Sep 17 00:00:00 2001
+From: Mincho Paskalev <minchopaskal@gmail.com>
+Date: Mon, 23 Jun 2025 11:41:37 +0300
+Subject: [PATCH] Lua script may lead to remote code execution (CVE-2025-49844)
+
+---
+ deps/lua/src/lparser.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/deps/lua/src/lparser.c b/deps/lua/src/lparser.c
+index dda7488dc..ee7d90c90 100644
+--- a/deps/lua/src/lparser.c
++++ b/deps/lua/src/lparser.c
+@@ -384,13 +384,17 @@ Proto *luaY_parser (lua_State *L, ZIO *z, Mbuffer *buff, const char *name) {
+   struct LexState lexstate;
+   struct FuncState funcstate;
+   lexstate.buff = buff;
+-  luaX_setinput(L, &lexstate, z, luaS_new(L, name));
++  TString *tname = luaS_new(L, name);
++  setsvalue2s(L, L->top, tname);
++  incr_top(L);
++  luaX_setinput(L, &lexstate, z, tname);
+   open_func(&lexstate, &funcstate);
+   funcstate.f->is_vararg = VARARG_ISVARARG;  /* main func. is always vararg */
+   luaX_next(&lexstate);  /* read first token */
+   chunk(&lexstate);
+   check(&lexstate, TK_EOS);
+   close_func(&lexstate);
++  --L->top;
+   lua_assert(funcstate.prev == NULL);
+   lua_assert(funcstate.f->nups == 0);
+   lua_assert(lexstate.fs == NULL);
+-- 
+2.25.1
+
diff --git a/redis.spec b/redis.spec
index 6fd98f2..9988830 100644
--- a/redis.spec
+++ b/redis.spec
@@ -5,7 +5,7 @@
 
 Name:              redis
 Version:           8.2.1
-Release:           2
+Release:           3
 Summary:           A persistent key-value database
 License:           AGPL-3.0-only AND BSD-3-Clause AND BSD-2-Clause AND MIT AND BSL-1.0
 URL:               https://redis.io
@@ -23,6 +23,7 @@ Patch0000:         redis-conf.patch
 Patch0001:         0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
 Patch0002:         0002-add-sw_64-support.patch
 Patch0003:         CVE-2025-49112.patch
+Patch0004:         fix-CVE-2025-49844.patch
 
 BuildRequires:     systemd
 BuildRequires:     systemd-devel
@@ -203,6 +204,9 @@ install -p -D -m 0644 %{S:8} %{buildroot}%{_tmpfilesdir}/%{name}.conf
 %{_docdir}/%{name}
 
 %changelog
+* Wed Oct 8 2025 lizhipeng <lizhipeng@kylinos.cn> - 8.2.1-3
+- fix CVE-2025-49844 
+
 * Thu Sep 11 2025 Funda Wang <fundawang@yeah.net> - 8.2.1-2
 - include rundir in package
 
-- 
Gitee