From 5c6d9241e5d58f1816ec0bb3dde3ca57d50fb604 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Mon, 15 May 2023 10:52:22 +0800 Subject: [PATCH] Fix CVE-2023-28856 --- CVE-2023-28856.patch | 49 ++++++++++++++++++++++++++++++++++++++++++++ redis.spec | 9 ++++++-- 2 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 CVE-2023-28856.patch diff --git a/CVE-2023-28856.patch b/CVE-2023-28856.patch new file mode 100644 index 0000000..43ceb81 --- /dev/null +++ b/CVE-2023-28856.patch @@ -0,0 +1,49 @@ +From c924ac3fdf8fe544891dc66c88018e259ee4be87 Mon Sep 17 00:00:00 2001 +From: chendianqiang +Date: Sun, 28 Aug 2022 16:33:41 +0800 +Subject: [PATCH] fix hincrbyfloat not to create a key if the new value is + invalid (#11149) + +Check the validity of the value before performing the create operation, +prevents new data from being generated even if the request fails to execute. + +Co-authored-by: Oran Agra +Co-authored-by: chendianqiang +Co-authored-by: Binbin +(cherry picked from commit bc7fe41e5857a0854d524e2a63a028e9394d2a5c) +(cherry picked from commit 606a385935363ea46c0df4f40f8a949d85f7a20a) +(cherry picked from commit 7df23a5f51488ce002411c9d24b38520ad67b764) +--- + src/t_hash.c | 4 ++++ + tests/unit/type/hash.tcl | 5 +++++ + 2 files changed, 9 insertions(+) + +diff --git a/src/t_hash.c b/src/t_hash.c +index 3cdfdd169abf..13e65502f145 100644 +--- a/src/t_hash.c ++++ b/src/t_hash.c +@@ -605,6 +605,10 @@ void hincrbyfloatCommand(client *c) { + unsigned int vlen; + + if (getLongDoubleFromObjectOrReply(c,c->argv[3],&incr,NULL) != C_OK) return; ++ if (isnan(incr) || isinf(incr)) { ++ addReplyError(c,"value is NaN or Infinity"); ++ return; ++ } + if ((o = hashTypeLookupWriteOrCreate(c,c->argv[1])) == NULL) return; + if (hashTypeGetValue(o,c->argv[2]->ptr,&vstr,&vlen,&ll) == C_OK) { + if (vstr) { +diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl +index 9f8a21b1ce11..931662989d82 100644 +--- a/tests/unit/type/hash.tcl ++++ b/tests/unit/type/hash.tcl +@@ -540,4 +540,9 @@ start_server {tags {"hash"}} { + assert {[r hincrbyfloat myhash float -0.1] eq {1.9}} + } + } ++ ++ test {HINCRBYFLOAT does not allow NaN or Infinity} { ++ assert_error "*value is NaN or Infinity*" {r hincrbyfloat hfoo field +inf} ++ assert_equal 0 [r exists hfoo] ++ } + } diff --git a/redis.spec b/redis.spec index 28e144e..e2785fa 100644 --- a/redis.spec +++ b/redis.spec @@ -1,6 +1,6 @@ Name: redis Version: 4.0.14 -Release: 3 +Release: 4 Summary: A persistent key-value database License: BSD and MIT URL: https://redis.io @@ -21,6 +21,7 @@ Patch0009: CVE-2021-29478.patch Patch0010: CVE-2021-32672.patch Patch0011: redis-4.0.14-sw.patch Patch0012: CVE-2022-36021.patch +Patch0013: CVE-2023-28856.patch BuildRequires: systemd gcc Requires: /bin/awk @@ -52,6 +53,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s %patch0011 -p1 %endif %patch0012 -p1 +%patch0013 -p1 sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf @@ -109,8 +111,11 @@ exit 0 %{_unitdir}/%{name}-sentinel.service %changelog +* Mon May 15 2023 yaoxin - 4.0.14-4 +- Fix CVE-2023-28856 + * Mon Mar 27 2023 wushaozheng - 4.0.14-3 -- Fix CVE-2022-36021.patch +- Fix CVE-2022-36021 * Wed Oct 26 2022 wuzx - 4.0.14-2 - Add sw64 architecture -- Gitee