redis: Fix CVE-2025-46819

Upstream-Status: Backport from https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-10-16 15:40:19 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-10-17 10:51:27 +0200
commit: e44b4561a9970612cc195ac613dcfea98222f416 (patch)
tree: 3d731f3cff28589a675066d4654e67e5b376188a
parent: abe7f83cc6316818b31d44022ad50fa94117300f (diff)
download: meta-openembedded-e44b4561a9970612cc195ac613dcfea98222f416.tar.gz
2 files changed, 162 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch
new file mode 100644
index 0000000000..8f30cce7df
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch
@@ -0,0 +1,161 @@
+From 2802b52b554cb9f0f249a24474c9fba94e933dbb Mon Sep 17 00:00:00 2001
+From: Ozan Tezcan <ozantezcan@gmail.com>
+Date: Mon, 23 Jun 2025 12:11:31 +0300
+Subject: [PATCH] LUA out-of-bound read (CVE-2025-46819)
+Upstream-Status: Backport [https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb]
+CVE: CVE-2025-46819
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ deps/lua/src/llex.c      | 34 ++++++++++++++++++-----------
+ tests/unit/scripting.tcl | 47 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 13 deletions(-)
+diff --git a/deps/lua/src/llex.c b/deps/lua/src/llex.c
+index 88c6790..efad709 100644
+--- a/deps/lua/src/llex.c
+++ b/deps/lua/src/llex.c
+@@ -138,6 +138,7 @@ static void inclinenumber (LexState *ls) {
+ 
+ 
+ void luaX_setinput (lua_State *L, LexState *ls, ZIO *z, TString *source) {
+  ls->t.token = 0;
+   ls->decpoint = '.';
+   ls->L = L;
+   ls->lookahead.token = TK_EOS;  /* no look-ahead token */
+@@ -206,9 +207,13 @@ static void read_numeral (LexState *ls, SemInfo *seminfo) {
+     trydecpoint(ls, seminfo); /* try to update decimal point separator */
+ }
+ 
+-
+-static int skip_sep (LexState *ls) {
+-  int count = 0;
+/*
+** reads a sequence '[=*[' or ']=*]', leaving the last bracket.
+** If a sequence is well-formed, return its number of '='s + 2; otherwise,
+** return 1 if there is no '='s or 0 otherwise (an unfinished '[==...').
+*/
+static size_t skip_sep (LexState *ls) {
+  size_t count = 0;
+   int s = ls->current;
+   lua_assert(s == '[' || s == ']');
+   save_and_next(ls);
+@@ -216,11 +221,13 @@ static int skip_sep (LexState *ls) {
+     save_and_next(ls);
+     count++;
+   }
+-  return (ls->current == s) ? count : (-count) - 1;
+   return (ls->current == s) ? count + 2
+          : (count == 0) ? 1
+          : 0;
+ }
+ 
+ 
+-static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) {
+static void read_long_string (LexState *ls, SemInfo *seminfo, size_t sep) {
+   int cont = 0;
+   (void)(cont);  /* avoid warnings when `cont' is not used */
+   save_and_next(ls);  /* skip 2nd `[' */
+@@ -270,8 +277,8 @@ static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) {
+     }
+   } endloop:
+   if (seminfo)
+-    seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + (2 + sep),
+-                                     luaZ_bufflen(ls->buff) - 2*(2 + sep));
+    seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + sep,
+                                     luaZ_bufflen(ls->buff) - 2 * sep);
+ }
+ 
+ 
+@@ -346,9 +353,9 @@ static int llex (LexState *ls, SemInfo *seminfo) {
+         /* else is a comment */
+         next(ls);
+         if (ls->current == '[') {
+-          int sep = skip_sep(ls);
+          size_t sep = skip_sep(ls);
+           luaZ_resetbuffer(ls->buff);  /* `skip_sep' may dirty the buffer */
+-          if (sep >= 0) {
+          if (sep >= 2) {
+             read_long_string(ls, NULL, sep);  /* long comment */
+             luaZ_resetbuffer(ls->buff);
+             continue;
+@@ -360,13 +367,14 @@ static int llex (LexState *ls, SemInfo *seminfo) {
+         continue;
+       }
+       case '[': {
+-        int sep = skip_sep(ls);
+-        if (sep >= 0) {
+        size_t sep = skip_sep(ls);
+        if (sep >= 2) {
+           read_long_string(ls, seminfo, sep);
+           return TK_STRING;
+         }
+-        else if (sep == -1) return '[';
+-        else luaX_lexerror(ls, "invalid long string delimiter", TK_STRING);
+        else if (sep == 0)  /* '[=...' missing second bracket */
+          luaX_lexerror(ls, "invalid long string delimiter", TK_STRING);
+        return '[';
+       }
+       case '=': {
+         next(ls);
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 58f2028..2ff0d44 100644
+--- a/tests/unit/scripting.tcl
+++ b/tests/unit/scripting.tcl
+@@ -1070,6 +1070,53 @@ start_server {tags {"scripting"}} {
+     } {*Script attempted to access nonexistent global variable 'print'*}
+ }
+ 
+# start a new server to test the large-memory tests
+start_server {tags {"scripting external:skip large-memory"}} {
+
+    test {EVAL - JSON string encoding a string larger than 2GB} {
+        run_script {
+            local s = string.rep("a", 1024 * 1024 * 1024)
+            return #cjson.encode(s..s..s)
+        } 0
+    } {3221225474} ;# length includes two double quotes at both ends
+
+    test {EVAL - Test long escape sequences for strings} {
+        run_script {
+            -- Generate 1gb '==...==' separator
+            local s = string.rep('=', 1024 * 1024)
+            local t = {} for i=1,1024 do t[i] = s end
+            local sep = table.concat(t)
+            collectgarbage('collect')
+
+            local code = table.concat({'return [',sep,'[x]',sep,']'})
+            collectgarbage('collect')
+
+            -- Load the code and run it. Script will return the string length.
+            -- Escape sequence: [=....=[ to ]=...=] will be ignored
+            -- Actual string is a single character: 'x'. Script will return 1
+            local func = loadstring(code)
+            return #func()
+        } 0
+    } {1}
+
+    test {EVAL - Lua can parse string with too many new lines} {
+        # Create a long string consisting only of newline characters. When Lua
+        # fails to parse a string, it typically includes a snippet like
+        # "... near ..." in the error message to indicate the last recognizable
+        # token. In this test, since the input contains only newlines, there
+        # should be no identifiable token, so the error message should contain
+        # only the actual error, without a near clause.
+
+        run_script {
+           local s = string.rep('\n', 1024 * 1024)
+           local t = {} for i=1,2048 do t[#t+1] = s end
+           local lines = table.concat(t)
+           local fn, err = loadstring(lines)
+           return err
+        } 0
+    } {*chunk has too many lines}
+}
+
+ # Start a new server to test lua-enable-deprecated-api config
+ foreach enabled {no yes} {
+ start_server [subst {tags {"scripting external:skip"} overrides {lua-enable-deprecated-api $enabled}}] {
+-- 
+2.25.1
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index be4e90564d..295dc0e429 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://CVE-2025-48367.patch \
           file://CVE-2025-46817.patch \
           file://CVE-2025-46818.patch \
+           file://CVE-2025-46819.patch \
           "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-10-16 15:40:19 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-10-17 10:51:27 +0200
commit	e44b4561a9970612cc195ac613dcfea98222f416 (patch)
tree	3d731f3cff28589a675066d4654e67e5b376188a
parent	abe7f83cc6316818b31d44022ad50fa94117300f (diff)
download	meta-openembedded-e44b4561a9970612cc195ac613dcfea98222f416.tar.gz

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch new file mode 100644 index 0000000000..8f30cce7df --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch
@@ -0,0 +1,161 @@
		1	From 2802b52b554cb9f0f249a24474c9fba94e933dbb Mon Sep 17 00:00:00 2001
		2	From: Ozan Tezcan <ozantezcan@gmail.com>
		3	Date: Mon, 23 Jun 2025 12:11:31 +0300
		4	Subject: [PATCH] LUA out-of-bound read (CVE-2025-46819)
		5
		6	Upstream-Status: Backport [https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb]
		7	CVE: CVE-2025-46819
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	deps/lua/src/llex.c \| 34 ++++++++++++++++++-----------
		11	tests/unit/scripting.tcl \| 47 ++++++++++++++++++++++++++++++++++++++++
		12	2 files changed, 68 insertions(+), 13 deletions(-)
		13
		14	diff --git a/deps/lua/src/llex.c b/deps/lua/src/llex.c
		15	index 88c6790..efad709 100644
		16	--- a/deps/lua/src/llex.c
		17	+++ b/deps/lua/src/llex.c
		18	@@ -138,6 +138,7 @@ static void inclinenumber (LexState *ls) {
		19
		20
		21	void luaX_setinput (lua_State L, LexState ls, ZIO z, TString source) {
		22	+ ls->t.token = 0;
		23	ls->decpoint = '.';
		24	ls->L = L;
		25	ls->lookahead.token = TK_EOS; /* no look-ahead token */
		26	@@ -206,9 +207,13 @@ static void read_numeral (LexState ls, SemInfo seminfo) {
		27	trydecpoint(ls, seminfo); /* try to update decimal point separator */
		28	}
		29
		30	-
		31	-static int skip_sep (LexState *ls) {
		32	- int count = 0;
		33	+/*
		34	+** reads a sequence '[=[' or ']=]', leaving the last bracket.
		35	+** If a sequence is well-formed, return its number of '='s + 2; otherwise,
		36	+** return 1 if there is no '='s or 0 otherwise (an unfinished '[==...').
		37	+*/
		38	+static size_t skip_sep (LexState *ls) {
		39	+ size_t count = 0;
		40	int s = ls->current;
		41	lua_assert(s == '[' \|\| s == ']');
		42	save_and_next(ls);
		43	@@ -216,11 +221,13 @@ static int skip_sep (LexState *ls) {
		44	save_and_next(ls);
		45	count++;
		46	}
		47	- return (ls->current == s) ? count : (-count) - 1;
		48	+ return (ls->current == s) ? count + 2
		49	+ : (count == 0) ? 1
		50	+ : 0;
		51	}
		52
		53
		54	-static void read_long_string (LexState ls, SemInfo seminfo, int sep) {
		55	+static void read_long_string (LexState ls, SemInfo seminfo, size_t sep) {
		56	int cont = 0;
		57	(void)(cont); /* avoid warnings when `cont' is not used */
		58	save_and_next(ls); /* skip 2nd `[' */
		59	@@ -270,8 +277,8 @@ static void read_long_string (LexState ls, SemInfo seminfo, int sep) {
		60	}
		61	} endloop:
		62	if (seminfo)
		63	- seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + (2 + sep),
		64	- luaZ_bufflen(ls->buff) - 2*(2 + sep));
		65	+ seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + sep,
		66	+ luaZ_bufflen(ls->buff) - 2 * sep);
		67	}
		68
		69
		70	@@ -346,9 +353,9 @@ static int llex (LexState ls, SemInfo seminfo) {
		71	/* else is a comment */
		72	next(ls);
		73	if (ls->current == '[') {
		74	- int sep = skip_sep(ls);
		75	+ size_t sep = skip_sep(ls);
		76	luaZ_resetbuffer(ls->buff); /* `skip_sep' may dirty the buffer */
		77	- if (sep >= 0) {
		78	+ if (sep >= 2) {
		79	read_long_string(ls, NULL, sep); /* long comment */
		80	luaZ_resetbuffer(ls->buff);
		81	continue;
		82	@@ -360,13 +367,14 @@ static int llex (LexState ls, SemInfo seminfo) {
		83	continue;
		84	}
		85	case '[': {
		86	- int sep = skip_sep(ls);
		87	- if (sep >= 0) {
		88	+ size_t sep = skip_sep(ls);
		89	+ if (sep >= 2) {
		90	read_long_string(ls, seminfo, sep);
		91	return TK_STRING;
		92	}
		93	- else if (sep == -1) return '[';
		94	- else luaX_lexerror(ls, "invalid long string delimiter", TK_STRING);
		95	+ else if (sep == 0) /* '[=...' missing second bracket */
		96	+ luaX_lexerror(ls, "invalid long string delimiter", TK_STRING);
		97	+ return '[';
		98	}
		99	case '=': {
		100	next(ls);
		101	diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
		102	index 58f2028..2ff0d44 100644
		103	--- a/tests/unit/scripting.tcl
		104	+++ b/tests/unit/scripting.tcl
		105	@@ -1070,6 +1070,53 @@ start_server {tags {"scripting"}} {
		106	} {Script attempted to access nonexistent global variable 'print'}
		107	}
		108
		109	+# start a new server to test the large-memory tests
		110	+start_server {tags {"scripting external:skip large-memory"}} {
		111	+
		112	+ test {EVAL - JSON string encoding a string larger than 2GB} {
		113	+ run_script {
		114	+ local s = string.rep("a", 1024 * 1024 * 1024)
		115	+ return #cjson.encode(s..s..s)
		116	+ } 0
		117	+ } {3221225474} ;# length includes two double quotes at both ends
		118	+
		119	+ test {EVAL - Test long escape sequences for strings} {
		120	+ run_script {
		121	+ -- Generate 1gb '==...==' separator
		122	+ local s = string.rep('=', 1024 * 1024)
		123	+ local t = {} for i=1,1024 do t[i] = s end
		124	+ local sep = table.concat(t)
		125	+ collectgarbage('collect')
		126	+
		127	+ local code = table.concat({'return [',sep,'[x]',sep,']'})
		128	+ collectgarbage('collect')
		129	+
		130	+ -- Load the code and run it. Script will return the string length.
		131	+ -- Escape sequence: [=....=[ to ]=...=] will be ignored
		132	+ -- Actual string is a single character: 'x'. Script will return 1
		133	+ local func = loadstring(code)
		134	+ return #func()
		135	+ } 0
		136	+ } {1}
		137	+
		138	+ test {EVAL - Lua can parse string with too many new lines} {
		139	+ # Create a long string consisting only of newline characters. When Lua
		140	+ # fails to parse a string, it typically includes a snippet like
		141	+ # "... near ..." in the error message to indicate the last recognizable
		142	+ # token. In this test, since the input contains only newlines, there
		143	+ # should be no identifiable token, so the error message should contain
		144	+ # only the actual error, without a near clause.
		145	+
		146	+ run_script {
		147	+ local s = string.rep('\n', 1024 * 1024)
		148	+ local t = {} for i=1,2048 do t[#t+1] = s end
		149	+ local lines = table.concat(t)
		150	+ local fn, err = loadstring(lines)
		151	+ return err
		152	+ } 0
		153	+ } {*chunk has too many lines}
		154	+}
		155	+
		156	# Start a new server to test lua-enable-deprecated-api config
		157	foreach enabled {no yes} {
		158	start_server [subst {tags {"scripting external:skip"} overrides {lua-enable-deprecated-api $enabled}}] {
		159	--
		160	2.25.1
		161


diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index be4e90564d..295dc0e429 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
29	file://CVE-2025-48367.patch \	29	file://CVE-2025-48367.patch \
30	file://CVE-2025-46817.patch \	30	file://CVE-2025-46817.patch \
31	file://CVE-2025-46818.patch \	31	file://CVE-2025-46818.patch \
		32	file://CVE-2025-46819.patch \
32	"	33	"
33	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"	34	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
34		35