diff options
| author | Ismael Luceno | 2019-05-30 00:01:52 +0200 |
|---|---|---|
| committer | Ismael Luceno | 2019-05-30 00:22:24 +0200 |
| commit | 6117fad7afa52e7719518335749e237580fac5d9 (patch) | |
| tree | 92622df16d7f6b8503f3659b8a03cdc1e5bf26e7 /database | |
| parent | 1d47cc8f3c4d18cb434323f396c6641aa1ce0ba5 (diff) | |
redis 5.0.5
Diffstat (limited to 'database')
| -rw-r--r-- | database/redis/CLIENT_MASTER.patch | 126 | ||||
| -rw-r--r-- | database/redis/CVE-2013-7458.patch | 44 | ||||
| -rwxr-xr-x | database/redis/DETAILS | 5 | ||||
| -rw-r--r-- | database/redis/HISTORY | 5 | ||||
| -rwxr-xr-x | database/redis/PRE_BUILD | 4 | ||||
| -rw-r--r-- | database/redis/TALOS-2016-0206.patch | 117 |
6 files changed, 7 insertions, 294 deletions
diff --git a/database/redis/CLIENT_MASTER.patch b/database/redis/CLIENT_MASTER.patch deleted file mode 100644 index 4a762bc6a6..0000000000 --- a/database/redis/CLIENT_MASTER.patch +++ /dev/null @@ -1,126 +0,0 @@ -Adapted from https://github.com/antirez/redis/commit/e6f39338e6464fb29f630120d8949b0d535e2e3f.patch - ---- src/config.c.orig 2014-12-16 03:18:20.000000000 -0500 -+++ src/config.c 2016-09-30 16:25:06.586589235 -0400 -@@ -49,7 +49,7 @@ - {NULL, 0} - }; - --clientBufferLimitsConfig clientBufferLimitsDefaults[REDIS_CLIENT_TYPE_COUNT] = { -+clientBufferLimitsConfig clientBufferLimitsDefaults[REDIS_CLIENT_TYPE_OBUF_COUNT] = { - {0, 0, 0}, /* normal */ - {1024*1024*256, 1024*1024*64, 60}, /* slave */ - {1024*1024*32, 1024*1024*8, 60} /* pubsub */ -@@ -1105,13 +1105,13 @@ - sds buf = sdsempty(); - int j; - -- for (j = 0; j < REDIS_CLIENT_TYPE_COUNT; j++) { -+ for (j = 0; j < REDIS_CLIENT_TYPE_OBUF_COUNT; j++) { - buf = sdscatprintf(buf,"%s %llu %llu %ld", - getClientTypeName(j), - server.client_obuf_limits[j].hard_limit_bytes, - server.client_obuf_limits[j].soft_limit_bytes, - (long) server.client_obuf_limits[j].soft_limit_seconds); -- if (j != REDIS_CLIENT_TYPE_COUNT-1) -+ if (j != REDIS_CLIENT_TYPE_OBUF_COUNT-1) - buf = sdscatlen(buf," ",1); - } - addReplyBulkCString(c,"client-output-buffer-limit"); -@@ -1526,7 +1526,7 @@ - int j; - char *option = "client-output-buffer-limit"; - -- for (j = 0; j < REDIS_CLIENT_TYPE_COUNT; j++) { -+ for (j = 0; j < REDIS_CLIENT_TYPE_OBUF_COUNT; j++) { - int force = (server.client_obuf_limits[j].hard_limit_bytes != - clientBufferLimitsDefaults[j].hard_limit_bytes) || - (server.client_obuf_limits[j].soft_limit_bytes != ---- src/networking.c.orig 2014-12-16 03:18:20.000000000 -0500 -+++ src/networking.c 2016-09-30 16:37:53.980349749 -0400 -@@ -1526,12 +1526,13 @@ - * REDIS_CLIENT_TYPE_NORMAL -> Normal client - * REDIS_CLIENT_TYPE_SLAVE -> Slave or client executing MONITOR command - * REDIS_CLIENT_TYPE_PUBSUB -> Client subscribed to Pub/Sub channels -+ * REDIS_CLIENT_TYPE_MASTER -> The client representing our replication master. - */ - int getClientType(redisClient *c) { -+ if (c->flags & REDIS_MASTER) return REDIS_CLIENT_TYPE_MASTER; - if ((c->flags & REDIS_SLAVE) && !(c->flags & REDIS_MONITOR)) - return REDIS_CLIENT_TYPE_SLAVE; -- if (c->flags & REDIS_PUBSUB) -- return REDIS_CLIENT_TYPE_PUBSUB; -+ if (c->flags & REDIS_PUBSUB) return REDIS_CLIENT_TYPE_PUBSUB; - return REDIS_CLIENT_TYPE_NORMAL; - } - -@@ -1539,6 +1540,7 @@ - if (!strcasecmp(name,"normal")) return REDIS_CLIENT_TYPE_NORMAL; - else if (!strcasecmp(name,"slave")) return REDIS_CLIENT_TYPE_SLAVE; - else if (!strcasecmp(name,"pubsub")) return REDIS_CLIENT_TYPE_PUBSUB; -+ else if (!strcasecmp(name,"master")) return REDIS_CLIENT_TYPE_MASTER; - else return -1; - } - -@@ -1547,6 +1549,7 @@ - case REDIS_CLIENT_TYPE_NORMAL: return "normal"; - case REDIS_CLIENT_TYPE_SLAVE: return "slave"; - case REDIS_CLIENT_TYPE_PUBSUB: return "pubsub"; -+ case REDIS_CLIENT_TYPE_MASTER: return "master"; - default: return NULL; - } - } -@@ -1562,6 +1565,10 @@ - unsigned long used_mem = getClientOutputBufferMemoryUsage(c); - - class = getClientType(c); -+ /* For the purpose of output buffer limiting, masters are handled -+ * like normal clients. */ -+ if (class == REDIS_CLIENT_TYPE_MASTER) class = REDIS_CLIENT_TYPE_NORMAL; -+ - if (server.client_obuf_limits[class].hard_limit_bytes && - used_mem >= server.client_obuf_limits[class].hard_limit_bytes) - hard = 1; ---- src/redis.h.orig 2014-12-16 03:18:20.000000000 -0500 -+++ src/redis.h 2016-09-30 16:29:11.324284488 -0400 -@@ -261,7 +261,10 @@ - #define REDIS_CLIENT_TYPE_NORMAL 0 /* Normal req-reply clients + MONITORs */ - #define REDIS_CLIENT_TYPE_SLAVE 1 /* Slaves. */ - #define REDIS_CLIENT_TYPE_PUBSUB 2 /* Clients subscribed to PubSub channels. */ --#define REDIS_CLIENT_TYPE_COUNT 3 -+#define REDIS_CLIENT_TYPE_MASTER 3 /* Master. */ -+#define REDIS_CLIENT_TYPE_OBUF_COUNT 3 /* Number of clients to expose to output -+ buffer configuration. Just the first -+ three: normal, slave, pubsub. */ - - /* Slave replication state - from the point of view of the slave. */ - #define REDIS_REPL_NONE 0 /* No active replication */ -@@ -569,7 +572,7 @@ - time_t soft_limit_seconds; - } clientBufferLimitsConfig; - --extern clientBufferLimitsConfig clientBufferLimitsDefaults[REDIS_CLIENT_TYPE_COUNT]; -+extern clientBufferLimitsConfig clientBufferLimitsDefaults[REDIS_CLIENT_TYPE_OBUF_COUNT]; - - /* The redisOp structure defines a Redis Operation, that is an instance of - * a command with an argument vector, database ID, propagation target -@@ -685,7 +688,7 @@ - size_t client_max_querybuf_len; /* Limit for client query buffer length */ - int dbnum; /* Total number of configured DBs */ - int daemonize; /* True if running as a daemon */ -- clientBufferLimitsConfig client_obuf_limits[REDIS_CLIENT_TYPE_COUNT]; -+ clientBufferLimitsConfig client_obuf_limits[REDIS_CLIENT_TYPE_OBUF_COUNT]; - /* AOF persistence */ - int aof_state; /* REDIS_AOF_(ON|OFF|WAIT_REWRITE) */ - int aof_fsync; /* Kind of fsync() policy */ ---- src/redis.c.orig 2014-12-16 03:18:20.000000000 -0500 -+++ src/redis.c 2016-09-30 16:28:51.135397850 -0400 -@@ -1419,7 +1419,7 @@ - server.repl_no_slaves_since = time(NULL); - - /* Client output buffer limits */ -- for (j = 0; j < REDIS_CLIENT_TYPE_COUNT; j++) -+ for (j = 0; j < REDIS_CLIENT_TYPE_OBUF_COUNT; j++) - server.client_obuf_limits[j] = clientBufferLimitsDefaults[j]; - - /* Double constants initialization */ diff --git a/database/redis/CVE-2013-7458.patch b/database/redis/CVE-2013-7458.patch deleted file mode 100644 index ce3d2e91d9..0000000000 --- a/database/redis/CVE-2013-7458.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9d524114eda67dedc38a9f97c9d5f3a5c3747829 Mon Sep 17 00:00:00 2001 -From: antirez <antirez@gmail.com> -Date: Fri, 29 Jul 2016 11:28:16 +0200 -Subject: [PATCH] Update linenoise to fix insecure redis-cli history file - creation. - -The problem was fixed in antirez/linenoise repository applying a patch -contributed by @lamby. Here the new version is updated in the Redis -source tree. - -Close #1418 -Close #3322 ---- - deps/linenoise/linenoise.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/deps/linenoise/linenoise.c b/deps/linenoise/linenoise.c -index a807d9b..fce14a7 100644 ---- a/deps/linenoise/linenoise.c -+++ b/deps/linenoise/linenoise.c -@@ -111,6 +111,7 @@ - #include <string.h> - #include <stdlib.h> - #include <ctype.h> -+#include <sys/stat.h> - #include <sys/types.h> - #include <sys/ioctl.h> - #include <unistd.h> -@@ -1160,10 +1161,14 @@ int linenoiseHistorySetMaxLen(int len) { - /* Save the history in the specified file. On success 0 is returned - * otherwise -1 is returned. */ - int linenoiseHistorySave(const char *filename) { -- FILE *fp = fopen(filename,"w"); -+ mode_t old_umask = umask(S_IXUSR|S_IRWXG|S_IRWXO); -+ FILE *fp; - int j; - -+ fp = fopen(filename,"w"); -+ umask(old_umask); - if (fp == NULL) return -1; -+ chmod(filename,S_IRUSR|S_IWUSR); - for (j = 0; j < history_len; j++) - fprintf(fp,"%s\n",history[j]); - fclose(fp); diff --git a/database/redis/DETAILS b/database/redis/DETAILS index 701cf5a138..e4e63cbcc9 100755 --- a/database/redis/DETAILS +++ b/database/redis/DETAILS @@ -1,10 +1,9 @@ SPELL=redis - VERSION=2.8.19 + VERSION=5.0.5 SECURITY_PATCH=2 - PATCHLEVEL=1 SOURCE=$SPELL-$VERSION.tar.gz SOURCE_URL[0]=http://download.redis.io/releases/$SOURCE - SOURCE_HASH=sha512:34997b45815cfdec9fbb06cd6664ed6ddf71baf064fd9ac155b7b969fd5945f78927cd5dfde83b043dc8ff1d7e35b172b9403cdf6115b8ca7bdf80c581ee9cdd + SOURCE_HASH=sha512:78215ec02b7184e05788c7a368146ea53095a877a0e09174b4c9f175aeb9ba9174023c19e33bf62e4513b848e1841538d398e7c0a651c5c947255c1691cb4586 SOURCE_DIRECTORY="$BUILD_DIRECTORY/$SPELL-$VERSION" LICENSE[0]=BSD WEB_SITE=http://redis.io/ diff --git a/database/redis/HISTORY b/database/redis/HISTORY index 6946adc513..1077140157 100644 --- a/database/redis/HISTORY +++ b/database/redis/HISTORY @@ -1,3 +1,8 @@ +2019-05-30 Ismael Luceno <ismael@sourcemage.org> + * DETAILS: updated spell to 5.0.5 + * CLIENT_MASTER.patch, CVE-2013-7458.patch, TALOS-2016-0206.patch, + PRE_BUILD: removed patches, not needed anymore + 2017-06-03 Vlad Glagolev <stealth@sourcemage.org> * DETAILS: PATCHLEVEL=1 * init.d/redis: use login environment for su to autoset limits diff --git a/database/redis/PRE_BUILD b/database/redis/PRE_BUILD index 8270734705..64efed583a 100755 --- a/database/redis/PRE_BUILD +++ b/database/redis/PRE_BUILD @@ -1,10 +1,6 @@ default_pre_build && cd "$SOURCE_DIRECTORY" && -patch -p1 < "${SPELL_DIRECTORY}/CVE-2013-7458.patch" && -patch -p0 < "${SPELL_DIRECTORY}/CLIENT_MASTER.patch" && -patch -p1 < "${SPELL_DIRECTORY}/TALOS-2016-0206.patch" && - sedit "s:dir ./:dir /var/lib/redis:" redis.conf && if [[ $INIT_INSTALLED ]]; then diff --git a/database/redis/TALOS-2016-0206.patch b/database/redis/TALOS-2016-0206.patch deleted file mode 100644 index 0215f5e9a5..0000000000 --- a/database/redis/TALOS-2016-0206.patch +++ /dev/null @@ -1,117 +0,0 @@ -Adapted from: - -From 6d9f8e2462fc2c426d48c941edeb78e5df7d2977 Mon Sep 17 00:00:00 2001 -From: antirez <antirez@gmail.com> -Date: Sun, 25 Sep 2016 22:48:41 +0200 -Subject: [PATCH] Security: CONFIG SET client-output-buffer-limit overflow - fixed. - -This commit fixes a vunlerability reported by Cory Duplantis -of Cisco Talos, see TALOS-2016-0206 for reference. - -CONFIG SET client-output-buffer-limit accepts as client class "master" -which is actually only used to implement CLIENT KILL. The "master" class -has ID 3. What happens is that the global structure: - - server.client_obuf_limits[class] - -Is accessed with class = 3. However it is a 3 elements array, so writing -the 4th element means to write up to 24 bytes of memory *after* the end -of the array, since the structure is defined as: - - typedef struct clientBufferLimitsConfig { - unsigned long long hard_limit_bytes; - unsigned long long soft_limit_bytes; - time_t soft_limit_seconds; - } clientBufferLimitsConfig; - -EVALUATION OF IMPACT: - -Checking what's past the boundaries of the array in the global -'server' structure, we find AOF state fields: - - clientBufferLimitsConfig client_obuf_limits[CLIENT_TYPE_OBUF_COUNT]; - /* AOF persistence */ - int aof_state; /* AOF_(ON|OFF|WAIT_REWRITE) */ - int aof_fsync; /* Kind of fsync() policy */ - char *aof_filename; /* Name of the AOF file */ - int aof_no_fsync_on_rewrite; /* Don't fsync if a rewrite is in prog. */ - int aof_rewrite_perc; /* Rewrite AOF if % growth is > M and... */ - off_t aof_rewrite_min_size; /* the AOF file is at least N bytes. */ - off_t aof_rewrite_base_size; /* AOF size on latest startup or rewrite. */ - off_t aof_current_size; /* AOF current size. */ - -Writing to most of these fields should be harmless and only cause problems in -Redis persistence that should not escalate to security problems. -However unfortunately writing to "aof_filename" could be potentially a -security issue depending on the access pattern. - -Searching for "aof.filename" accesses in the source code returns many different -usages of the field, including using it as input for open(), logging to the -Redis log file or syslog, and calling the rename() syscall. - -It looks possible that attacks could lead at least to informations -disclosure of the state and data inside Redis. However note that the -attacker must already have access to the server. But, worse than that, -it looks possible that being able to change the AOF filename can be used -to mount more powerful attacks: like overwriting random files with AOF -data (easily a potential security issue as demostrated here: -http://antirez.com/news/96), or even more subtle attacks where the -AOF filename is changed to a path were a malicious AOF file is loaded -in order to exploit other potential issues when the AOF parser is fed -with untrusted input (no known issue known currently). - -The fix checks the places where the 'master' class is specifiedf in -order to access configuration data structures, and return an error in -this cases. - -WHO IS AT RISK? - -The "master" client class was introduced in Redis in Jul 28 2015. -Every Redis instance released past this date is not vulnerable -while all the releases after this date are. Notably: - - Redis 3.0.x is NOT vunlerable. - Redis 3.2.x IS vulnerable. - Redis unstable is vulnerable. - -In order for the instance to be at risk, at least one of the following -conditions must be true: - - 1. The attacker can access Redis remotely and is able to send - the CONFIG SET command (often banned in managed Redis instances). - - 2. The attacker is able to control the "redis.conf" file and - can wait or trigger a server restart. - -The problem was fixed 26th September 2016 in all the releases affected. ---- - src/config.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/config.c b/src/config.c -index 1d81180..8f3b81a 100644 ---- a/src/config.c -+++ b/src/config.c -@@ -616,8 +616,9 @@ void loadServerConfigFromString(char *config) { - unsigned long long hard, soft; - int soft_seconds; - -- if (class == -1) { -- err = "Unrecognized client limit class"; -+ if (class == -1 || class == REDIS_CLIENT_TYPE_MASTER) { -+ err = "Unrecognized client limit class: the user specified " -+ "an invalid one, or 'master' which has no buffer limits."; - goto loaderr; - } - hard = memtoll(argv[2],NULL); -@@ -906,7 +907,8 @@ void configSetCommand(client *c) { - long val; - - if ((j % 4) == 0) { -- if (getClientTypeByName(v[j]) == -1) { -+ int class = getClientTypeByName(v[j]); -+ if (class == -1 || class == REDIS_CLIENT_TYPE_MASTER) { - sdsfreesplitres(v,vlen); - goto badfmt; - } |