redis: fix CVE-2023-45145

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory. Reference: https://security-tracker.debian.org/tracker/CVE-2023-45145 Upstream-patch: https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-01-31 12:50:57 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-02-09 07:55:09 -0800
commit: 19592ce1c4d9883645e5c4866a2a94cfcd332d03 (patch)
tree: ede4d1c39b9248dc5dff7f48a82473ffcc278168
parent: 6bd4846b0bb266618b02be650c6cdd4b2a4f6b7b (diff)
download: meta-openembedded-19592ce1c4d9883645e5c4866a2a94cfcd332d03.tar.gz
4 files changed, 146 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch
new file mode 100644
index 0000000000..aab1bbfeb0
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch
@@ -0,0 +1,72 @@
+From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001
+From: Yossi Gottlieb <yossigo@gmail.com>
+Date: Wed, 11 Oct 2023 22:45:34 +0300
+Subject: [PATCH] Fix issue of listen before chmod on Unix sockets 
+ (CVE-2023-45145)
+Before this commit, Unix socket setup performed chmod(2) on the socket
+file after calling listen(2). Depending on what umask is used, this
+could leave the file with the wrong permissions for a short period of
+time. As a result, another process could exploit this race condition and
+establish a connection that would otherwise not be possible.
+We now make sure the socket permissions are set up prior to calling
+listen(2).
+(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42)
+CVE: CVE-2023-45145
+Upstream-Status: Backport [https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/anet.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+diff --git a/src/anet.c b/src/anet.c
+index 4ea201d..10840fc 100644
+--- a/src/anet.c
+++ b/src/anet.c
+@@ -407,13 +407,16 @@ int anetUnixGenericConnect(char *err, const char *path, int flags)
+     return s;
+ }
+ 
+-static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) {
+static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) {
+     if (bind(s,sa,len) == -1) {
+         anetSetError(err, "bind: %s", strerror(errno));
+         close(s);
+         return ANET_ERR;
+     }
+ 
+    if (sa->sa_family == AF_LOCAL && perm)
+        chmod(((struct sockaddr_un *) sa)->sun_path, perm);
+
+     if (listen(s, backlog) == -1) {
+         anetSetError(err, "listen: %s", strerror(errno));
+         close(s);
+@@ -457,7 +460,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl
+ 
+         if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error;
+         if (anetSetReuseAddr(err,s) == ANET_ERR) goto error;
+-        if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR;
+        if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR;
+         goto end;
+     }
+     if (p == NULL) {
+@@ -498,10 +501,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog)
+     memset(&sa,0,sizeof(sa));
+     sa.sun_family = AF_LOCAL;
+     strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1);
+-    if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR)
+    if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR)
+         return ANET_ERR;
+-    if (perm)
+-        chmod(sa.sun_path, perm);
+     return s;
+ }
+ 
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch b/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch
new file mode 100644
index 0000000000..f132deb83a
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch
@@ -0,0 +1,72 @@
+From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001
+From: Yossi Gottlieb <yossigo@gmail.com>
+Date: Wed, 11 Oct 2023 22:45:34 +0300
+Subject: [PATCH] Fix issue of listen before chmod on Unix sockets 
+ (CVE-2023-45145)
+Before this commit, Unix socket setup performed chmod(2) on the socket
+file after calling listen(2). Depending on what umask is used, this
+could leave the file with the wrong permissions for a short period of
+time. As a result, another process could exploit this race condition and
+establish a connection that would otherwise not be possible.
+We now make sure the socket permissions are set up prior to calling
+listen(2).
+(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42)
+CVE: CVE-2023-45145
+Upstream-Status: Backport [https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/anet.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+diff --git a/src/anet.c b/src/anet.c
+index a121c27..91f6171 100644
+--- a/src/anet.c
+++ b/src/anet.c
+@@ -397,13 +397,16 @@ int anetUnixGenericConnect(char *err, const char *path, int flags)
+     return s;
+ }
+ 
+-static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog) {
+static int anetListen(char *err, int s, struct sockaddr *sa, socklen_t len, int backlog, mode_t perm) {
+     if (bind(s,sa,len) == -1) {
+         anetSetError(err, "bind: %s", strerror(errno));
+         close(s);
+         return ANET_ERR;
+     }
+ 
+    if (sa->sa_family == AF_LOCAL && perm)
+        chmod(((struct sockaddr_un *) sa)->sun_path, perm);
+
+     if (listen(s, backlog) == -1) {
+         anetSetError(err, "listen: %s", strerror(errno));
+         close(s);
+@@ -447,7 +450,7 @@ static int _anetTcpServer(char *err, int port, char *bindaddr, int af, int backl
+ 
+         if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error;
+         if (anetSetReuseAddr(err,s) == ANET_ERR) goto error;
+-        if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR;
+        if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR;
+         goto end;
+     }
+     if (p == NULL) {
+@@ -484,10 +487,8 @@ int anetUnixServer(char *err, char *path, mode_t perm, int backlog)
+     memset(&sa,0,sizeof(sa));
+     sa.sun_family = AF_LOCAL;
+     strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1);
+-    if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR)
+    if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR)
+         return ANET_ERR;
+-    if (perm)
+-        chmod(sa.sun_path, perm);
+     return s;
+ }
+ 
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
index 3ed6867816..52dcffedb8 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://0001-src-Do-not-reset-FINAL_LIBS.patch \
           file://GNU_SOURCE.patch \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
+           file://CVE-2023-45145.patch \
           "
 SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index dc5f9b7a89..caccf01f64 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://GNU_SOURCE-7.patch \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
           file://CVE-2023-41056.patch \
+           file://CVE-2023-45145.patch \
           "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
author	Divya Chellam <divya.chellam@windriver.com>	2025-01-31 12:50:57 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-02-09 07:55:09 -0800
commit	19592ce1c4d9883645e5c4866a2a94cfcd332d03 (patch)
tree	ede4d1c39b9248dc5dff7f48a82473ffcc278168
parent	6bd4846b0bb266618b02be650c6cdd4b2a4f6b7b (diff)
download	meta-openembedded-19592ce1c4d9883645e5c4866a2a94cfcd332d03.tar.gz

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch new file mode 100644 index 0000000000..aab1bbfeb0 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-45145.patch
@@ -0,0 +1,72 @@
		1	From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001
		2	From: Yossi Gottlieb <yossigo@gmail.com>
		3	Date: Wed, 11 Oct 2023 22:45:34 +0300
		4	Subject: [PATCH] Fix issue of listen before chmod on Unix sockets
		5	(CVE-2023-45145)
		6
		7	Before this commit, Unix socket setup performed chmod(2) on the socket
		8	file after calling listen(2). Depending on what umask is used, this
		9	could leave the file with the wrong permissions for a short period of
		10	time. As a result, another process could exploit this race condition and
		11	establish a connection that would otherwise not be possible.
		12
		13	We now make sure the socket permissions are set up prior to calling
		14	listen(2).
		15
		16	(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42)
		17
		18	CVE: CVE-2023-45145
		19
		20	Upstream-Status: Backport [https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc]
		21
		22	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		23	---
		24	src/anet.c \| 11 ++++++-----
		25	1 file changed, 6 insertions(+), 5 deletions(-)
		26
		27	diff --git a/src/anet.c b/src/anet.c
		28	index 4ea201d..10840fc 100644
		29	--- a/src/anet.c
		30	+++ b/src/anet.c
		31	@@ -407,13 +407,16 @@ int anetUnixGenericConnect(char err, const char path, int flags)
		32	return s;
		33	}
		34
		35	-static int anetListen(char err, int s, struct sockaddr sa, socklen_t len, int backlog) {
		36	+static int anetListen(char err, int s, struct sockaddr sa, socklen_t len, int backlog, mode_t perm) {
		37	if (bind(s,sa,len) == -1) {
		38	anetSetError(err, "bind: %s", strerror(errno));
		39	close(s);
		40	return ANET_ERR;
		41	}
		42
		43	+ if (sa->sa_family == AF_LOCAL && perm)
		44	+ chmod(((struct sockaddr_un *) sa)->sun_path, perm);
		45	+
		46	if (listen(s, backlog) == -1) {
		47	anetSetError(err, "listen: %s", strerror(errno));
		48	close(s);
		49	@@ -457,7 +460,7 @@ static int _anetTcpServer(char err, int port, char bindaddr, int af, int backl
		50
		51	if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error;
		52	if (anetSetReuseAddr(err,s) == ANET_ERR) goto error;
		53	- if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR;
		54	+ if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR;
		55	goto end;
		56	}
		57	if (p == NULL) {
		58	@@ -498,10 +501,8 @@ int anetUnixServer(char err, char path, mode_t perm, int backlog)
		59	memset(&sa,0,sizeof(sa));
		60	sa.sun_family = AF_LOCAL;
		61	strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1);
		62	- if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR)
		63	+ if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR)
		64	return ANET_ERR;
		65	- if (perm)
		66	- chmod(sa.sun_path, perm);
		67	return s;
		68	}
		69
		70	--
		71	2.40.0
		72


diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch b/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch new file mode 100644 index 0000000000..f132deb83a --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2023-45145.patch
@@ -0,0 +1,72 @@
		1	From 7f486ea6eebf0afce74f2e59763b9b82b78629dc Mon Sep 17 00:00:00 2001
		2	From: Yossi Gottlieb <yossigo@gmail.com>
		3	Date: Wed, 11 Oct 2023 22:45:34 +0300
		4	Subject: [PATCH] Fix issue of listen before chmod on Unix sockets
		5	(CVE-2023-45145)
		6
		7	Before this commit, Unix socket setup performed chmod(2) on the socket
		8	file after calling listen(2). Depending on what umask is used, this
		9	could leave the file with the wrong permissions for a short period of
		10	time. As a result, another process could exploit this race condition and
		11	establish a connection that would otherwise not be possible.
		12
		13	We now make sure the socket permissions are set up prior to calling
		14	listen(2).
		15
		16	(cherry picked from commit a11b3bc34a054818f2ac70e50adfc542ca1cba42)
		17
		18	CVE: CVE-2023-45145
		19
		20	Upstream-Status: Backport [https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc]
		21
		22	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		23	---
		24	src/anet.c \| 11 ++++++-----
		25	1 file changed, 6 insertions(+), 5 deletions(-)
		26
		27	diff --git a/src/anet.c b/src/anet.c
		28	index a121c27..91f6171 100644
		29	--- a/src/anet.c
		30	+++ b/src/anet.c
		31	@@ -397,13 +397,16 @@ int anetUnixGenericConnect(char err, const char path, int flags)
		32	return s;
		33	}
		34
		35	-static int anetListen(char err, int s, struct sockaddr sa, socklen_t len, int backlog) {
		36	+static int anetListen(char err, int s, struct sockaddr sa, socklen_t len, int backlog, mode_t perm) {
		37	if (bind(s,sa,len) == -1) {
		38	anetSetError(err, "bind: %s", strerror(errno));
		39	close(s);
		40	return ANET_ERR;
		41	}
		42
		43	+ if (sa->sa_family == AF_LOCAL && perm)
		44	+ chmod(((struct sockaddr_un *) sa)->sun_path, perm);
		45	+
		46	if (listen(s, backlog) == -1) {
		47	anetSetError(err, "listen: %s", strerror(errno));
		48	close(s);
		49	@@ -447,7 +450,7 @@ static int _anetTcpServer(char err, int port, char bindaddr, int af, int backl
		50
		51	if (af == AF_INET6 && anetV6Only(err,s) == ANET_ERR) goto error;
		52	if (anetSetReuseAddr(err,s) == ANET_ERR) goto error;
		53	- if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog) == ANET_ERR) s = ANET_ERR;
		54	+ if (anetListen(err,s,p->ai_addr,p->ai_addrlen,backlog,0) == ANET_ERR) s = ANET_ERR;
		55	goto end;
		56	}
		57	if (p == NULL) {
		58	@@ -484,10 +487,8 @@ int anetUnixServer(char err, char path, mode_t perm, int backlog)
		59	memset(&sa,0,sizeof(sa));
		60	sa.sun_family = AF_LOCAL;
		61	strncpy(sa.sun_path,path,sizeof(sa.sun_path)-1);
		62	- if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog) == ANET_ERR)
		63	+ if (anetListen(err,s,(struct sockaddr*)&sa,sizeof(sa),backlog,perm) == ANET_ERR)
		64	return ANET_ERR;
		65	- if (perm)
		66	- chmod(sa.sun_path, perm);
		67	return s;
		68	}
		69
		70	--
		71	2.40.0
		72


diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb index 3ed6867816..52dcffedb8 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
16	file://0001-src-Do-not-reset-FINAL_LIBS.patch \	16	file://0001-src-Do-not-reset-FINAL_LIBS.patch \
17	file://GNU_SOURCE.patch \	17	file://GNU_SOURCE.patch \
18	file://0006-Define-correct-gregs-for-RISCV32.patch \	18	file://0006-Define-correct-gregs-for-RISCV32.patch \
		19	file://CVE-2023-45145.patch \
19	"	20	"
20	SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"	21	SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
21		22


diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index dc5f9b7a89..caccf01f64 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
17	file://GNU_SOURCE-7.patch \	17	file://GNU_SOURCE-7.patch \
18	file://0006-Define-correct-gregs-for-RISCV32.patch \	18	file://0006-Define-correct-gregs-for-RISCV32.patch \
19	file://CVE-2023-41056.patch \	19	file://CVE-2023-41056.patch \
		20	file://CVE-2023-45145.patch \
20	"	21	"
21	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"	22	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
22		23