From 1c10e006c154c5b25d7bd5c5f1ac67d89e64a8f7 Mon Sep 17 00:00:00 2001
From: fandeyuan <fandeyuan@kylinos.cn>
Date: Thu, 11 Dec 2025 20:44:32 +0800
Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449)

---
 backport-CVE-2024-31449.patch | 43 +++++++++++++++++++++++++++++++++++
 redis6.spec                   |  7 +++++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-31449.patch

diff --git a/backport-CVE-2024-31449.patch b/backport-CVE-2024-31449.patch
new file mode 100644
index 0000000..4da0a79
--- /dev/null
+++ b/backport-CVE-2024-31449.patch
@@ -0,0 +1,43 @@
+From 1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 19:54:06 +0300
+Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449)
+
+INT_MIN value must be explicitly checked, and cannot be negated.
+---
+ deps/lua/src/lua_bit.c   | 1 +
+ tests/unit/scripting.tcl | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
+index 690df7d..a459ca9 100644
+--- a/deps/lua/src/lua_bit.c
++++ b/deps/lua/src/lua_bit.c
+@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L)
+   const char *hexdigits = "0123456789abcdef";
+   char buf[8];
+   int i;
++  if (n == INT32_MIN) n = INT32_MIN+1;
+   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
+   if (n > 8) n = 8;
+   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index d5387d0..05e0bbb 100644
+--- a/tests/unit/scripting.tcl
++++ b/tests/unit/scripting.tcl
+@@ -431,6 +431,12 @@ start_server {tags {"scripting"}} {
+         set e
+     } {ERR*Attempt to modify a readonly table*}
+ 
++    test {lua bit.tohex bug} {
++        set res [r eval {return bit.tohex(65535, -2147483648)} 0]
++        r ping
++        set res
++    } {0000FFFF}
++
+     test {Test an example script DECR_IF_GT} {
+         set decr_if_gt {
+             local current
+-- 
+2.43.0
+
diff --git a/redis6.spec b/redis6.spec
index ba6922d..00f9fa4 100644
--- a/redis6.spec
+++ b/redis6.spec
@@ -6,7 +6,7 @@
 %global Pname redis
 Name:                redis6
 Version:             6.2.7
-Release:             7
+Release:             8
 Summary:             A persistent key-value database
 License:             BSD and MIT
 URL:                 https://redis.io
@@ -32,6 +32,7 @@ Patch3003:           backport-CVE-2025-49844.patch
 Patch3004:           backport-CVE-2025-46817.patch
 Patch3005:           backport-CVE-2025-46818.patch
 Patch3006:           backport-CVE-2025-46819.patch
+Patch3007:           backport-CVE-2024-31449.patch
 
 BuildRequires:       make gcc
 %if %{with tests}
@@ -107,6 +108,7 @@ tar -xvf  %{SOURCE10}
 %patch 3004 -p1
 %patch 3005 -p1
 %patch 3006 -p1
+%patch 3007 -p1
 
 mv ../%{Pname}-doc-%{doc_commit} doc
 mv deps/lua/COPYRIGHT    COPYRIGHT-lua
@@ -236,6 +238,9 @@ fi
 %{_docdir}/%{Pname}
 
 %changelog
+* Thu Dec 11 2025 Deyuan Fan <fandeyuan@kylinos.cn> - 6.2.7-8
+- Fix CVE-2024-31449
+
 * Thu Dec 04 2025 jiangxinyu <jiangxinyu@kylinos.cn> - 6.2.7-7
 - Fix CVE-2025-46818 CVE-2025-46819
 
-- 
Gitee