diff --git a/CVE-2025-49112.patch b/CVE-2025-49112.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ef2a573853b1d6f0a30d70b13b7448127f92aa6 --- /dev/null +++ b/CVE-2025-49112.patch @@ -0,0 +1,50 @@ +From 374718b2a365ca69f715d542709b7d71540b1387 Mon Sep 17 00:00:00 2001 +From: Zeroday BYTE +Date: Mon, 26 May 2025 18:57:00 +0700 +Subject: [PATCH] Fix unsigned difference expression compared to zero (#2101) + +Origin: https://github.com/valkey-io/valkey/commit/374718b2a365ca69f715d542709b7d71540b1387 + +https://github.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886-L886 + +Fix the issue need to ensure that the subtraction `prev->size - +prev->used` does not underflow. This can be achieved by explicitly +checking that `prev->used` is less than `prev->size` before performing +the subtraction. This approach avoids relying on unsigned arithmetic and +ensures the logic is clear and robust. + +The specific changes are: +1. Replace the condition `prev->size - prev->used > 0` with `prev->used +< prev->size`. +2. This change ensures that the logic checks whether there is remaining +space in the buffer without risking underflow. + +**References** +[INT02-C. Understand integer conversion +rules](https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules) +[CWE-191](https://cwe.mitre.org/data/definitions/191.html) + + +--- + +Signed-off-by: Zeroday BYTE +--- + src/networking.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/networking.c b/src/networking.c +index eb0b389..860fd89 100644 +--- a/src/networking.c ++++ b/src/networking.c +@@ -780,7 +780,7 @@ void setDeferredReply(client *c, void *node, const char *s, size_t length) { + * - It has enough room already allocated + * - And not too large (avoid large memmove) */ + if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && +- prev->size - prev->used > 0) ++ prev->used < prev->size) + { + size_t len_to_copy = prev->size - prev->used; + if (len_to_copy > length) +-- +2.49.0 + diff --git a/redis-8.2.1.tar.gz b/redis-8.2.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..bc9b03aefc3eddd30394d481d42639c13e1af368 --- /dev/null +++ b/redis-8.2.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2c1cb9dd4180a35b943b85dfc7dcdd42566cdbceca37d0d0b14c21731582d3e +size 3897326 diff --git a/redis-8.2.2.tar.gz b/redis-8.2.2.tar.gz deleted file mode 100644 index 5f99746ea74eecc443b972cb90a49250fb249c85..0000000000000000000000000000000000000000 Binary files a/redis-8.2.2.tar.gz and /dev/null differ diff --git a/redis.spec b/redis.spec index 8ec0d780d28182473cfce41fb8efe58048df1ea0..6fd98f25508573d0bb34092890d60f0360d30c80 100644 --- a/redis.spec +++ b/redis.spec @@ -4,8 +4,8 @@ %global short_doc_commit %(c=%{doc_commit}; echo ${c:0:7}) Name: redis -Version: 8.2.2 -Release: 1 +Version: 8.2.1 +Release: 2 Summary: A persistent key-value database License: AGPL-3.0-only AND BSD-3-Clause AND BSD-2-Clause AND MIT AND BSL-1.0 URL: https://redis.io @@ -22,6 +22,7 @@ Patch0000: redis-conf.patch # https://github.com/redis/redis/pull/3491 - man pages Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch Patch0002: 0002-add-sw_64-support.patch +Patch0003: CVE-2025-49112.patch BuildRequires: systemd BuildRequires: systemd-devel @@ -202,9 +203,6 @@ install -p -D -m 0644 %{S:8} %{buildroot}%{_tmpfilesdir}/%{name}.conf %{_docdir}/%{name} %changelog -* Wed Oct 8 2025 lizhipeng - 8.2.2-1 -- update to 8.2.2 - * Thu Sep 11 2025 Funda Wang - 8.2.1-2 - include rundir in package