redis: fix CVE-2024-31449

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-31449 Upstream-patches: https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-01-31 12:51:00 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-02-09 07:55:17 -0800
commit: 654ba2447cd14b4998edb63dc3722efb8d78fd56 (patch)
tree: f72629d79dcff74153424be0946a031f6c7ace07
parent: 42df84dcf334714336fe90fa92d59f7786802a39 (diff)
download: meta-openembedded-654ba2447cd14b4998edb63dc3722efb8d78fd56.tar.gz
4 files changed, 100 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch
new file mode 100644
index 0000000000..1e8ef7be2e
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch
@@ -0,0 +1,49 @@
+From fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 19:54:06 +0300
+Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449)
+INT_MIN value must be explicitly checked, and cannot be negated.
+CVE: CVE-2024-31449
+Upstream-Status: Backport [https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ deps/lua/src/lua_bit.c   | 1 +
+ tests/unit/scripting.tcl | 6 ++++++
+ 2 files changed, 7 insertions(+)
+diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
+index 9f83b85..7e43fae 100644
+--- a/deps/lua/src/lua_bit.c
+++ b/deps/lua/src/lua_bit.c
+@@ -132,6 +132,7 @@ static int bit_tohex(lua_State *L)
+   const char *hexdigits = "0123456789abcdef";
+   char buf[8];
+   int i;
+  if (n == INT32_MIN) n = INT32_MIN+1;
+   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
+   if (n > 8) n = 8;
+   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 4b65131..cdc6dc4 100644
+--- a/tests/unit/scripting.tcl
+++ b/tests/unit/scripting.tcl
+@@ -590,6 +590,12 @@ start_server {tags {"scripting"}} {
+         set e
+     } {ERR *Attempt to modify a readonly table*}
+ 
+    test {lua bit.tohex bug} {
+        set res [run_script {return bit.tohex(65535, -2147483648)} 0]
+        r ping
+        set res
+    } {0000FFFF}
+
+     test {Test an example script DECR_IF_GT} {
+         set decr_if_gt {
+             local current
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch
new file mode 100644
index 0000000000..5004cd5ab6
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch
@@ -0,0 +1,49 @@
+From 1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 19:54:06 +0300
+Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449)
+INT_MIN value must be explicitly checked, and cannot be negated.
+CVE: CVE-2024-31449
+Upstream-Status: Backport [https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ deps/lua/src/lua_bit.c   | 1 +
+ tests/unit/scripting.tcl | 6 ++++++
+ 2 files changed, 7 insertions(+)
+diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
+index 690df7d..a459ca9 100644
+--- a/deps/lua/src/lua_bit.c
+++ b/deps/lua/src/lua_bit.c
+@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L)
+   const char *hexdigits = "0123456789abcdef";
+   char buf[8];
+   int i;
+  if (n == INT32_MIN) n = INT32_MIN+1;
+   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
+   if (n > 8) n = 8;
+   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 9f5ee77..5e2a7f8 100644
+--- a/tests/unit/scripting.tcl
+++ b/tests/unit/scripting.tcl
+@@ -406,6 +406,12 @@ start_server {tags {"scripting"}} {
+         set e
+     } {ERR*Attempt to modify a readonly table*}
+ 
+    test {lua bit.tohex bug} {
+        set res [r eval {return bit.tohex(65535, -2147483648)} 0]
+        r ping
+        set res
+    } {0000FFFF}
+
+     test {Test an example script DECR_IF_GT} {
+         set decr_if_gt {
+             local current
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
index bea98100a7..a13dfdbe45 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
           file://CVE-2023-45145.patch \
           file://CVE-2024-31228.patch \
+           file://CVE-2024-31449.patch \
           "
 SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index 249f002a1b..fa1716a192 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://CVE-2023-45145.patch \
           file://CVE-2024-31227.patch \
           file://CVE-2024-31228.patch \
+           file://CVE-2024-31449.patch \
           "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
author	Divya Chellam <divya.chellam@windriver.com>	2025-01-31 12:51:00 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-02-09 07:55:17 -0800
commit	654ba2447cd14b4998edb63dc3722efb8d78fd56 (patch)
tree	f72629d79dcff74153424be0946a031f6c7ace07
parent	42df84dcf334714336fe90fa92d59f7786802a39 (diff)
download	meta-openembedded-654ba2447cd14b4998edb63dc3722efb8d78fd56.tar.gz

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch new file mode 100644 index 0000000000..1e8ef7be2e --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31449.patch
@@ -0,0 +1,49 @@
		1	From fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 Mon Sep 17 00:00:00 2001
		2	From: Oran Agra <oran@redislabs.com>
		3	Date: Wed, 2 Oct 2024 19:54:06 +0300
		4	Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449)
		5
		6	INT_MIN value must be explicitly checked, and cannot be negated.
		7
		8	CVE: CVE-2024-31449
		9
		10	Upstream-Status: Backport [https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71]
		11
		12	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		13	---
		14	deps/lua/src/lua_bit.c \| 1 +
		15	tests/unit/scripting.tcl \| 6 ++++++
		16	2 files changed, 7 insertions(+)
		17
		18	diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
		19	index 9f83b85..7e43fae 100644
		20	--- a/deps/lua/src/lua_bit.c
		21	+++ b/deps/lua/src/lua_bit.c
		22	@@ -132,6 +132,7 @@ static int bit_tohex(lua_State *L)
		23	const char *hexdigits = "0123456789abcdef";
		24	char buf[8];
		25	int i;
		26	+ if (n == INT32_MIN) n = INT32_MIN+1;
		27	if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
		28	if (n > 8) n = 8;
		29	for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
		30	diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
		31	index 4b65131..cdc6dc4 100644
		32	--- a/tests/unit/scripting.tcl
		33	+++ b/tests/unit/scripting.tcl
		34	@@ -590,6 +590,12 @@ start_server {tags {"scripting"}} {
		35	set e
		36	} {ERR Attempt to modify a readonly table}
		37
		38	+ test {lua bit.tohex bug} {
		39	+ set res [run_script {return bit.tohex(65535, -2147483648)} 0]
		40	+ r ping
		41	+ set res
		42	+ } {0000FFFF}
		43	+
		44	test {Test an example script DECR_IF_GT} {
		45	set decr_if_gt {
		46	local current
		47	--
		48	2.40.0
		49


diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch new file mode 100644 index 0000000000..5004cd5ab6 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-31449.patch
@@ -0,0 +1,49 @@
		1	From 1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 Mon Sep 17 00:00:00 2001
		2	From: Oran Agra <oran@redislabs.com>
		3	Date: Wed, 2 Oct 2024 19:54:06 +0300
		4	Subject: [PATCH] Fix lua bit.tohex (CVE-2024-31449)
		5
		6	INT_MIN value must be explicitly checked, and cannot be negated.
		7
		8	CVE: CVE-2024-31449
		9
		10	Upstream-Status: Backport [https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9]
		11
		12	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		13	---
		14	deps/lua/src/lua_bit.c \| 1 +
		15	tests/unit/scripting.tcl \| 6 ++++++
		16	2 files changed, 7 insertions(+)
		17
		18	diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
		19	index 690df7d..a459ca9 100644
		20	--- a/deps/lua/src/lua_bit.c
		21	+++ b/deps/lua/src/lua_bit.c
		22	@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L)
		23	const char *hexdigits = "0123456789abcdef";
		24	char buf[8];
		25	int i;
		26	+ if (n == INT32_MIN) n = INT32_MIN+1;
		27	if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
		28	if (n > 8) n = 8;
		29	for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
		30	diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
		31	index 9f5ee77..5e2a7f8 100644
		32	--- a/tests/unit/scripting.tcl
		33	+++ b/tests/unit/scripting.tcl
		34	@@ -406,6 +406,12 @@ start_server {tags {"scripting"}} {
		35	set e
		36	} {ERRAttempt to modify a readonly table}
		37
		38	+ test {lua bit.tohex bug} {
		39	+ set res [r eval {return bit.tohex(65535, -2147483648)} 0]
		40	+ r ping
		41	+ set res
		42	+ } {0000FFFF}
		43	+
		44	test {Test an example script DECR_IF_GT} {
		45	set decr_if_gt {
		46	local current
		47	--
		48	2.40.0
		49


diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb index bea98100a7..a13dfdbe45 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
18	file://0006-Define-correct-gregs-for-RISCV32.patch \	18	file://0006-Define-correct-gregs-for-RISCV32.patch \
19	file://CVE-2023-45145.patch \	19	file://CVE-2023-45145.patch \
20	file://CVE-2024-31228.patch \	20	file://CVE-2024-31228.patch \
		21	file://CVE-2024-31449.patch \
21	"	22	"
22	SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"	23	SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
23		24


diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index 249f002a1b..fa1716a192 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
20	file://CVE-2023-45145.patch \	20	file://CVE-2023-45145.patch \
21	file://CVE-2024-31227.patch \	21	file://CVE-2024-31227.patch \
22	file://CVE-2024-31228.patch \	22	file://CVE-2024-31228.patch \
		23	file://CVE-2024-31449.patch \
23	"	24	"
24	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"	25	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
25		26