redis: fix CVE-2024-46981

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-46981 Upstream-patch: https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-02-04 12:25:27 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-02-09 07:55:20 -0800
commit: d9340d705d8f01beb4e935dbdc20ddfde98e784b (patch)
tree: 8f7f7f42f34e81355b11f14368ff05fd5ece691e
parent: 654ba2447cd14b4998edb63dc3722efb8d78fd56 (diff)
download: meta-openembedded-d9340d705d8f01beb4e935dbdc20ddfde98e784b.tar.gz
4 files changed, 73 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch
new file mode 100644
index 0000000000..870ef71f52
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch
@@ -0,0 +1,32 @@
+From e344b2b5879aa52870e6838212dfb78b7968fcbf Mon Sep 17 00:00:00 2001
+From: YaacovHazan <yaacov.hazan@redis.com>
+Date: Sun, 15 Dec 2024 21:33:11 +0200
+Subject: [PATCH] Fix LUA garbage collector (CVE-2024-46981) 
+Reset GC state before closing the lua VM to prevent user data 
+to be wrongly freed while still might be used on destructor callbacks.
+CVE: CVE-2024-46981
+Upstream-Status: Backport [https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/eval.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/src/eval.c b/src/eval.c
+index 8190856..a562335 100644
+--- a/src/eval.c
+++ b/src/eval.c
+@@ -273,6 +273,7 @@ void scriptingRelease(int async) {
+     else
+         dictRelease(lctx.lua_scripts);
+     lctx.lua_scripts_mem = 0;
+    lua_gc(lctx.lua, LUA_GCCOLLECT, 0);
+     lua_close(lctx.lua);
+ }
+ 
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch
new file mode 100644
index 0000000000..c02dd21271
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch
@@ -0,0 +1,39 @@
+From e344b2b5879aa52870e6838212dfb78b7968fcbf Mon Sep 17 00:00:00 2001
+From: YaacovHazan <yaacov.hazan@redis.com>
+Date: Sun, 15 Dec 2024 21:33:11 +0200
+Subject: [PATCH] Fix LUA garbage collector (CVE-2024-46981)
+Reset GC state before closing the lua VM to prevent user data
+to be wrongly freed while still might be used on destructor callbacks.
+Conflicts:
+Since luaCtx lctx structure  introduced in later versions [1]
+used already existed redisServer server structure.
+Reference:
+[1] https://github.com/redis/redis/commit/e0cd580aefe13e49df802fec5135e4f22d46e758
+CVE: CVE-2024-46981
+Upstream-Status: Backport [https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/scripting.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/src/scripting.c b/src/scripting.c
+index 9b926e8..656d4dd 100644
+--- a/src/scripting.c
+++ b/src/scripting.c
+@@ -1467,6 +1467,7 @@ void scriptingRelease(int async) {
+     else
+         dictRelease(server.lua_scripts);
+     server.lua_scripts_mem = 0;
+    lua_gc(server.lua, LUA_GCCOLLECT, 0);
+     lua_close(server.lua);
+ }
+ 
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
index a13dfdbe45..0fdd3da327 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://CVE-2023-45145.patch \
           file://CVE-2024-31228.patch \
           file://CVE-2024-31449.patch \
+           file://CVE-2024-46981.patch \
           "
 SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index fa1716a192..3535da9664 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://CVE-2024-31227.patch \
           file://CVE-2024-31228.patch \
           file://CVE-2024-31449.patch \
+           file://CVE-2024-46981.patch \
           "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
author	Divya Chellam <divya.chellam@windriver.com>	2025-02-04 12:25:27 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-02-09 07:55:20 -0800
commit	d9340d705d8f01beb4e935dbdc20ddfde98e784b (patch)
tree	8f7f7f42f34e81355b11f14368ff05fd5ece691e
parent	654ba2447cd14b4998edb63dc3722efb8d78fd56 (diff)
download	meta-openembedded-d9340d705d8f01beb4e935dbdc20ddfde98e784b.tar.gz

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch new file mode 100644 index 0000000000..870ef71f52 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-46981.patch
@@ -0,0 +1,32 @@
		1	From e344b2b5879aa52870e6838212dfb78b7968fcbf Mon Sep 17 00:00:00 2001
		2	From: YaacovHazan <yaacov.hazan@redis.com>
		3	Date: Sun, 15 Dec 2024 21:33:11 +0200
		4	Subject: [PATCH] Fix LUA garbage collector (CVE-2024-46981)
		5
		6	Reset GC state before closing the lua VM to prevent user data
		7	to be wrongly freed while still might be used on destructor callbacks.
		8
		9	CVE: CVE-2024-46981
		10
		11	Upstream-Status: Backport [https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf]
		12
		13	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		14	---
		15	src/eval.c \| 1 +
		16	1 file changed, 1 insertion(+)
		17
		18	diff --git a/src/eval.c b/src/eval.c
		19	index 8190856..a562335 100644
		20	--- a/src/eval.c
		21	+++ b/src/eval.c
		22	@@ -273,6 +273,7 @@ void scriptingRelease(int async) {
		23	else
		24	dictRelease(lctx.lua_scripts);
		25	lctx.lua_scripts_mem = 0;
		26	+ lua_gc(lctx.lua, LUA_GCCOLLECT, 0);
		27	lua_close(lctx.lua);
		28	}
		29
		30	--
		31	2.40.0
		32


diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch new file mode 100644 index 0000000000..c02dd21271 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-46981.patch
@@ -0,0 +1,39 @@
		1	From e344b2b5879aa52870e6838212dfb78b7968fcbf Mon Sep 17 00:00:00 2001
		2	From: YaacovHazan <yaacov.hazan@redis.com>
		3	Date: Sun, 15 Dec 2024 21:33:11 +0200
		4	Subject: [PATCH] Fix LUA garbage collector (CVE-2024-46981)
		5
		6	Reset GC state before closing the lua VM to prevent user data
		7	to be wrongly freed while still might be used on destructor callbacks.
		8
		9	Conflicts:
		10	Since luaCtx lctx structure introduced in later versions [1]
		11	used already existed redisServer server structure.
		12
		13	Reference:
		14	[1] https://github.com/redis/redis/commit/e0cd580aefe13e49df802fec5135e4f22d46e758
		15
		16	CVE: CVE-2024-46981
		17
		18	Upstream-Status: Backport [https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf]
		19
		20	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		21	---
		22	src/scripting.c \| 1 +
		23	1 file changed, 1 insertion(+)
		24
		25	diff --git a/src/scripting.c b/src/scripting.c
		26	index 9b926e8..656d4dd 100644
		27	--- a/src/scripting.c
		28	+++ b/src/scripting.c
		29	@@ -1467,6 +1467,7 @@ void scriptingRelease(int async) {
		30	else
		31	dictRelease(server.lua_scripts);
		32	server.lua_scripts_mem = 0;
		33	+ lua_gc(server.lua, LUA_GCCOLLECT, 0);
		34	lua_close(server.lua);
		35	}
		36
		37	--
		38	2.40.0
		39


diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb index a13dfdbe45..0fdd3da327 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
19	file://CVE-2023-45145.patch \	19	file://CVE-2023-45145.patch \
20	file://CVE-2024-31228.patch \	20	file://CVE-2024-31228.patch \
21	file://CVE-2024-31449.patch \	21	file://CVE-2024-31449.patch \
		22	file://CVE-2024-46981.patch \
22	"	23	"
23	SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"	24	SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
24		25


diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index fa1716a192..3535da9664 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
21	file://CVE-2024-31227.patch \	21	file://CVE-2024-31227.patch \
22	file://CVE-2024-31228.patch \	22	file://CVE-2024-31228.patch \
23	file://CVE-2024-31449.patch \	23	file://CVE-2024-31449.patch \
		24	file://CVE-2024-46981.patch \
24	"	25	"
25	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"	26	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
26		27