redis: fix CVE-2024-51741

Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-51741 Upstream-patch: https://github.com/redis/redis/commit/15e212bf69de28d2b4585aa79cc2a40f49e4a94d Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-02-04 12:25:28 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-02-09 07:55:22 -0800
commit: e80164edccb6d3722ba04243c44fea06b44ae880 (patch)
tree: 562039d0e40bd6195edd40bb63d2fe2c7196c01d
parent: d9340d705d8f01beb4e935dbdc20ddfde98e784b (diff)
download: meta-openembedded-e80164edccb6d3722ba04243c44fea06b44ae880.tar.gz
2 files changed, 90 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-51741.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-51741.patch
new file mode 100644
index 0000000000..e3a43fe896
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-51741.patch
@@ -0,0 +1,89 @@
+From 15e212bf69de28d2b4585aa79cc2a40f49e4a94d Mon Sep 17 00:00:00 2001
+From: YaacovHazan <yaacov.hazan@redis.com>
+Date: Sun, 15 Dec 2024 11:27:48 +0200
+Subject: [PATCH] Fix Read/Write key pattern selector (CVE-2024-51741)
+The '%' rule must contain one or both of R/W
+CVE: CVE-2024-51741
+Upstream-Status: Backport [https://github.com/redis/redis/commit/15e212bf69de28d2b4585aa79cc2a40f49e4a94d]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/acl.c             | 11 ++++++++---
+ tests/unit/acl-v2.tcl | 26 ++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 3 deletions(-)
+diff --git a/src/acl.c b/src/acl.c
+index 6b53d90..ed6dc97 100644
+--- a/src/acl.c
+++ b/src/acl.c
+@@ -1031,19 +1031,24 @@ int ACLSetSelector(aclSelector *selector, const char* op, size_t oplen) {
+         int flags = 0;
+         size_t offset = 1;
+         if (op[0] == '%') {
+            int perm_ok = 1;
+             for (; offset < oplen; offset++) {
+                 if (toupper(op[offset]) == 'R' && !(flags & ACL_READ_PERMISSION)) {
+                     flags |= ACL_READ_PERMISSION;
+                 } else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) {
+                     flags |= ACL_WRITE_PERMISSION;
+-                } else if (op[offset] == '~' && flags) {
+                } else if (op[offset] == '~') {
+                     offset++;
+                     break;
+                 } else {
+-                    errno = EINVAL;
+-                    return C_ERR;
+                    perm_ok = 0;
+                    break;
+                 }
+             }
+            if (!flags || !perm_ok) {
+                errno = EINVAL;
+                return C_ERR;
+            }
+         } else {
+             flags = ACL_ALL_PERMISSION;
+         }
+diff --git a/tests/unit/acl-v2.tcl b/tests/unit/acl-v2.tcl
+index d836f9c..0b83b89 100644
+--- a/tests/unit/acl-v2.tcl
+++ b/tests/unit/acl-v2.tcl
+@@ -107,6 +107,32 @@ start_server {tags {"acl external:skip"}} {
+         assert_match "*NOPERM*keys*" $err
+     }
+ 
+    test {Validate read and write permissions format - empty permission} {
+        catch {r ACL SETUSER key-permission-RW %~} err
+        set err
+    } {ERR Error in ACL SETUSER modifier '%~': Syntax error}
+
+    test {Validate read and write permissions format - empty selector} {
+        catch {r ACL SETUSER key-permission-RW %} err
+        set err
+    } {ERR Error in ACL SETUSER modifier '%': Syntax error}
+
+    test {Validate read and write permissions format - empty pattern} {
+        # Empty pattern results with R/W access to no key
+        r ACL SETUSER key-permission-RW on nopass %RW~ +@all
+        $r2 auth key-permission-RW password
+        catch {$r2 SET x 5} err
+        set err
+    } {NOPERM No permissions to access a key}
+
+    test {Validate read and write permissions format - no pattern} {
+        # No pattern results with R/W access to no key (currently we accept this syntax error)
+        r ACL SETUSER key-permission-RW on nopass %RW +@all
+        $r2 auth key-permission-RW password
+        catch {$r2 SET x 5} err
+        set err
+    } {NOPERM No permissions to access a key}
+
+     test {Test separate read and write permissions on different selectors are not additive} {
+         r ACL SETUSER key-permission-RW-selector on nopass "(%R~read* +@all)" "(%W~write* +@all)"
+         $r2 auth key-permission-RW-selector password
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index 3535da9664..e7bff9b4ec 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://CVE-2024-31228.patch \
           file://CVE-2024-31449.patch \
           file://CVE-2024-46981.patch \
+           file://CVE-2024-51741.patch \
           "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
author	Divya Chellam <divya.chellam@windriver.com>	2025-02-04 12:25:28 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-02-09 07:55:22 -0800
commit	e80164edccb6d3722ba04243c44fea06b44ae880 (patch)
tree	562039d0e40bd6195edd40bb63d2fe2c7196c01d
parent	d9340d705d8f01beb4e935dbdc20ddfde98e784b (diff)
download	meta-openembedded-e80164edccb6d3722ba04243c44fea06b44ae880.tar.gz

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-51741.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-51741.patch new file mode 100644 index 0000000000..e3a43fe896 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-51741.patch
@@ -0,0 +1,89 @@
		1	From 15e212bf69de28d2b4585aa79cc2a40f49e4a94d Mon Sep 17 00:00:00 2001
		2	From: YaacovHazan <yaacov.hazan@redis.com>
		3	Date: Sun, 15 Dec 2024 11:27:48 +0200
		4	Subject: [PATCH] Fix Read/Write key pattern selector (CVE-2024-51741)
		5
		6	The '%' rule must contain one or both of R/W
		7
		8	CVE: CVE-2024-51741
		9
		10	Upstream-Status: Backport [https://github.com/redis/redis/commit/15e212bf69de28d2b4585aa79cc2a40f49e4a94d]
		11
		12	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		13	---
		14	src/acl.c \| 11 ++++++++---
		15	tests/unit/acl-v2.tcl \| 26 ++++++++++++++++++++++++++
		16	2 files changed, 34 insertions(+), 3 deletions(-)
		17
		18	diff --git a/src/acl.c b/src/acl.c
		19	index 6b53d90..ed6dc97 100644
		20	--- a/src/acl.c
		21	+++ b/src/acl.c
		22	@@ -1031,19 +1031,24 @@ int ACLSetSelector(aclSelector selector, const char op, size_t oplen) {
		23	int flags = 0;
		24	size_t offset = 1;
		25	if (op[0] == '%') {
		26	+ int perm_ok = 1;
		27	for (; offset < oplen; offset++) {
		28	if (toupper(op[offset]) == 'R' && !(flags & ACL_READ_PERMISSION)) {
		29	flags \|= ACL_READ_PERMISSION;
		30	} else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) {
		31	flags \|= ACL_WRITE_PERMISSION;
		32	- } else if (op[offset] == '~' && flags) {
		33	+ } else if (op[offset] == '~') {
		34	offset++;
		35	break;
		36	} else {
		37	- errno = EINVAL;
		38	- return C_ERR;
		39	+ perm_ok = 0;
		40	+ break;
		41	}
		42	}
		43	+ if (!flags \|\| !perm_ok) {
		44	+ errno = EINVAL;
		45	+ return C_ERR;
		46	+ }
		47	} else {
		48	flags = ACL_ALL_PERMISSION;
		49	}
		50	diff --git a/tests/unit/acl-v2.tcl b/tests/unit/acl-v2.tcl
		51	index d836f9c..0b83b89 100644
		52	--- a/tests/unit/acl-v2.tcl
		53	+++ b/tests/unit/acl-v2.tcl
		54	@@ -107,6 +107,32 @@ start_server {tags {"acl external:skip"}} {
		55	assert_match "NOPERMkeys*" $err
		56	}
		57
		58	+ test {Validate read and write permissions format - empty permission} {
		59	+ catch {r ACL SETUSER key-permission-RW %~} err
		60	+ set err
		61	+ } {ERR Error in ACL SETUSER modifier '%~': Syntax error}
		62	+
		63	+ test {Validate read and write permissions format - empty selector} {
		64	+ catch {r ACL SETUSER key-permission-RW %} err
		65	+ set err
		66	+ } {ERR Error in ACL SETUSER modifier '%': Syntax error}
		67	+
		68	+ test {Validate read and write permissions format - empty pattern} {
		69	+ # Empty pattern results with R/W access to no key
		70	+ r ACL SETUSER key-permission-RW on nopass %RW~ +@all
		71	+ $r2 auth key-permission-RW password
		72	+ catch {$r2 SET x 5} err
		73	+ set err
		74	+ } {NOPERM No permissions to access a key}
		75	+
		76	+ test {Validate read and write permissions format - no pattern} {
		77	+ # No pattern results with R/W access to no key (currently we accept this syntax error)
		78	+ r ACL SETUSER key-permission-RW on nopass %RW +@all
		79	+ $r2 auth key-permission-RW password
		80	+ catch {$r2 SET x 5} err
		81	+ set err
		82	+ } {NOPERM No permissions to access a key}
		83	+
		84	test {Test separate read and write permissions on different selectors are not additive} {
		85	r ACL SETUSER key-permission-RW-selector on nopass "(%R~read* +@all)" "(%W~write* +@all)"
		86	$r2 auth key-permission-RW-selector password
		87	--
		88	2.40.0
		89


diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index 3535da9664..e7bff9b4ec 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
22	file://CVE-2024-31228.patch \	22	file://CVE-2024-31228.patch \
23	file://CVE-2024-31449.patch \	23	file://CVE-2024-31449.patch \
24	file://CVE-2024-46981.patch \	24	file://CVE-2024-46981.patch \
		25	file://CVE-2024-51741.patch \
25	"	26	"
26	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"	27	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
27		28