2 files changed, 43 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch
new file mode 100644
index 0000000000..ebbf6e1b94
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch
@@ -0,0 +1,42 @@
+From 29900d4e6bccdf3691bedf0ea9a5d84863fa3592 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Mon, 3 May 2021 08:27:22 +0300
+Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478)
+An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
+potentially result with remote code execution.
+The vulnerability involves changing the default set-max-intset-entries
+configuration value, creating a large set key that consists of integer values
+and using the COPY command to duplicate it.
+The integer overflow bug exists in all versions of Redis starting with 2.6,
+where it could result with a corrupted RDB or DUMP payload, but not exploited
+through COPY (which did not exist before 6.2).
+CVE: CVE-2021-29478
+Upstream-Status: Backport
+[https://github.com/redis/redis/commit/29900d4e6bccdf3691bedf0ea9a5d84863fa3592]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ src/intset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/intset.c b/src/intset.c
+index 1a64ecae8..9ba13898d 100644
+--- a/src/intset.c
+++ b/src/intset.c
+@@ -281,7 +281,7 @@ uint32_t intsetLen(const intset *is) {
+ 
+ /* Return intset blob size in bytes. */
+ size_t intsetBlobLen(intset *is) {
+-    return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
+    return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
+ }
+ 
+ /* Validate the integrity of the data structure.
+-- 
+2.32.0
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
index e89bb50f15..a36c190af3 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://GNU_SOURCE.patch \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
           file://fix-CVE-2021-29477.patch \
+           file://fix-CVE-2021-29478.patch \
           "
 SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"

diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch new file mode 100644 index 0000000000..ebbf6e1b94 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29478.patch
@@ -0,0 +1,42 @@
		1	From 29900d4e6bccdf3691bedf0ea9a5d84863fa3592 Mon Sep 17 00:00:00 2001
		2	From: Oran Agra <oran@redislabs.com>
		3	Date: Mon, 3 May 2021 08:27:22 +0300
		4	Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478)
		5
		6	An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
		7	potentially result with remote code execution.
		8
		9	The vulnerability involves changing the default set-max-intset-entries
		10	configuration value, creating a large set key that consists of integer values
		11	and using the COPY command to duplicate it.
		12
		13	The integer overflow bug exists in all versions of Redis starting with 2.6,
		14	where it could result with a corrupted RDB or DUMP payload, but not exploited
		15	through COPY (which did not exist before 6.2).
		16
		17	CVE: CVE-2021-29478
		18	Upstream-Status: Backport
		19	[https://github.com/redis/redis/commit/29900d4e6bccdf3691bedf0ea9a5d84863fa3592]
		20
		21	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		22
		23	---
		24	src/intset.c \| 2 +-
		25	1 file changed, 1 insertion(+), 1 deletion(-)
		26
		27	diff --git a/src/intset.c b/src/intset.c
		28	index 1a64ecae8..9ba13898d 100644
		29	--- a/src/intset.c
		30	+++ b/src/intset.c
		31	@@ -281,7 +281,7 @@ uint32_t intsetLen(const intset *is) {
		32
		33	/* Return intset blob size in bytes. */
		34	size_t intsetBlobLen(intset *is) {
		35	- return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
		36	+ return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
		37	}
		38
		39	/* Validate the integrity of the data structure.
		40	--
		41	2.32.0
		42


diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb index e89bb50f15..a36c190af3 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
17	file://GNU_SOURCE.patch \	17	file://GNU_SOURCE.patch \
18	file://0006-Define-correct-gregs-for-RISCV32.patch \	18	file://0006-Define-correct-gregs-for-RISCV32.patch \
19	file://fix-CVE-2021-29477.patch \	19	file://fix-CVE-2021-29477.patch \
		20	file://fix-CVE-2021-29478.patch \
20	"	21	"
21	SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"	22	SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
22		23