--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package redis/5:5.0.3-4+deb10u3
- From: "Chris Lamb" <lamby@debian.org>
- Date: Thu, 25 Feb 2021 17:50:05 +0000
- Message-id: <161427533434.3051283.6332310838402881665@tinycat.chris-lamb.co.uk>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear stable release managers,
Please consider redis (5:5.0.3-4+deb10u3) for buster:
redis (5:5.0.3-4+deb10u3) buster; urgency=medium
.
* CVE-2021-21309: Fix a series of integer overflow issues on 32-bit systems.
(Closes: #983446)
The full diff is attached. I am submitting this as a potential s-p-u
due to a request from the Security Team:
https://bugs.debian.org/983446#27
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
diff --git a/debian/changelog b/debian/changelog
index eae2bf71..c184fefb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+redis (5:5.0.3-4+deb10u3) buster; urgency=medium
+
+ * CVE-2021-21309: Fix a series of integer overflow issues on 32-bit systems.
+ (Closes: #983446)
+
+ -- Chris Lamb <lamby@debian.org> Thu, 25 Feb 2021 17:46:45 +0000
+
redis (5:5.0.3-4+deb10u2) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff --git a/debian/patches/0015-CVE-2021-21309.patch b/debian/patches/0015-CVE-2021-21309.patch
new file mode 100644
index 00000000..14cb441c
--- /dev/null
+++ b/debian/patches/0015-CVE-2021-21309.patch
@@ -0,0 +1,139 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Thu, 25 Feb 2021 17:44:59 +0000
+Subject: CVE-2021-21309
+
+---
+ src/config.c | 16 ++++++++--------
+ src/sds.c | 3 +++
+ src/zmalloc.c | 10 ++++++++++
+ 3 files changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/src/config.c b/src/config.c
+index 9f51bba..cb13818 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -878,10 +878,10 @@ void loadServerConfig(char *filename, char *options) {
+ if (max != LLONG_MAX && ll > max) goto badfmt; \
+ _var = ll;
+
+-#define config_set_memory_field(_name,_var) \
++#define config_set_memory_field(_name,_var,min,max) \
+ } else if (!strcasecmp(c->argv[2]->ptr,_name)) { \
+ ll = memtoll(o->ptr,&err); \
+- if (err || ll < 0) goto badfmt; \
++ if (err || ll < (long long) (min) || ll > (long long) (max)) goto badfmt; \
+ _var = ll;
+
+ #define config_set_enum_field(_name,_var,_enumvar) \
+@@ -1147,7 +1147,7 @@ void configSetCommand(client *c) {
+ } config_set_numerical_field(
+ "active-defrag-threshold-upper",server.active_defrag_threshold_upper,0,1000) {
+ } config_set_memory_field(
+- "active-defrag-ignore-bytes",server.active_defrag_ignore_bytes) {
++ "active-defrag-ignore-bytes",server.active_defrag_ignore_bytes,0,LONG_MAX) {
+ } config_set_numerical_field(
+ "active-defrag-cycle-min",server.active_defrag_cycle_min,1,99) {
+ } config_set_numerical_field(
+@@ -1243,7 +1243,7 @@ void configSetCommand(client *c) {
+
+ /* Memory fields.
+ * config_set_memory_field(name,var) */
+- } config_set_memory_field("maxmemory",server.maxmemory) {
++ } config_set_memory_field("maxmemory",server.maxmemory,0,LONG_MAX) {
+ if (server.maxmemory) {
+ if (server.maxmemory < zmalloc_used_memory()) {
+ serverLog(LL_WARNING,"WARNING: the new maxmemory value set via CONFIG SET is smaller than the current memory usage. This will result in key eviction and/or the inability to accept new write commands depending on the maxmemory-policy.");
+@@ -1251,12 +1251,12 @@ void configSetCommand(client *c) {
+ freeMemoryIfNeededAndSafe();
+ }
+ } config_set_memory_field(
+- "proto-max-bulk-len",server.proto_max_bulk_len) {
++ "proto-max-bulk-len",server.proto_max_bulk_len,1024*1024,LONG_MAX/2) {
+ } config_set_memory_field(
+- "client-query-buffer-limit",server.client_max_querybuf_len) {
+- } config_set_memory_field("repl-backlog-size",ll) {
++ "client-query-buffer-limit",server.client_max_querybuf_len,0,LONG_MAX) {
++ } config_set_memory_field("repl-backlog-size",ll,0,LONG_MAX) {
+ resizeReplicationBacklog(ll);
+- } config_set_memory_field("auto-aof-rewrite-min-size",ll) {
++ } config_set_memory_field("auto-aof-rewrite-min-size",ll,0,LONG_MAX) {
+ server.aof_rewrite_min_size = ll;
+
+ /* Enumeration fields.
+diff --git a/src/sds.c b/src/sds.c
+index 330c955..25da92f 100644
+--- a/src/sds.c
++++ b/src/sds.c
+@@ -96,6 +96,7 @@ sds sdsnewlen(const void *init, size_t initlen) {
+ int hdrlen = sdsHdrSize(type);
+ unsigned char *fp; /* flags pointer. */
+
++ assert(hdrlen+initlen+1 > initlen); /* Catch size_t overflow */
+ sh = s_malloc(hdrlen+initlen+1);
+ if (init==SDS_NOINIT)
+ init = NULL;
+@@ -214,6 +215,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
+ len = sdslen(s);
+ sh = (char*)s-sdsHdrSize(oldtype);
+ newlen = (len+addlen);
++ assert(newlen > len); /* Catch size_t overflow */
+ if (newlen < SDS_MAX_PREALLOC)
+ newlen *= 2;
+ else
+@@ -227,6 +229,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
+ if (type == SDS_TYPE_5) type = SDS_TYPE_8;
+
+ hdrlen = sdsHdrSize(type);
++ assert(hdrlen+newlen+1 > len); /* Catch size_t overflow */
+ if (oldtype==type) {
+ newsh = s_realloc(sh, hdrlen+newlen+1);
+ if (newsh == NULL) return NULL;
+diff --git a/src/zmalloc.c b/src/zmalloc.c
+index 80e6571..426f79c 100644
+--- a/src/zmalloc.c
++++ b/src/zmalloc.c
+@@ -56,6 +56,12 @@ void zlibc_free(void *ptr) {
+ #endif
+ #endif
+
++#if PREFIX_SIZE > 0
++#define ASSERT_NO_SIZE_OVERFLOW(sz) assert((sz) + PREFIX_SIZE > (sz))
++#else
++#define ASSERT_NO_SIZE_OVERFLOW(sz)
++#endif
++
+ /* Explicitly override malloc/free etc when using tcmalloc. */
+ #if defined(USE_TCMALLOC)
+ #define malloc(size) tc_malloc(size)
+@@ -106,6 +112,7 @@ static void zmalloc_default_oom(size_t size) {
+ static void (*zmalloc_oom_handler)(size_t) = zmalloc_default_oom;
+
+ void *zmalloc(size_t size) {
++ ASSERT_NO_SIZE_OVERFLOW(size);
+ void *ptr = malloc(size+PREFIX_SIZE);
+
+ if (!ptr) zmalloc_oom_handler(size);
+@@ -124,6 +131,7 @@ void *zmalloc(size_t size) {
+ * Currently implemented only for jemalloc. Used for online defragmentation. */
+ #ifdef HAVE_DEFRAG
+ void *zmalloc_no_tcache(size_t size) {
++ ASSERT_NO_SIZE_OVERFLOW(size);
+ void *ptr = mallocx(size+PREFIX_SIZE, MALLOCX_TCACHE_NONE);
+ if (!ptr) zmalloc_oom_handler(size);
+ update_zmalloc_stat_alloc(zmalloc_size(ptr));
+@@ -138,6 +146,7 @@ void zfree_no_tcache(void *ptr) {
+ #endif
+
+ void *zcalloc(size_t size) {
++ ASSERT_NO_SIZE_OVERFLOW(size);
+ void *ptr = calloc(1, size+PREFIX_SIZE);
+
+ if (!ptr) zmalloc_oom_handler(size);
+@@ -152,6 +161,7 @@ void *zcalloc(size_t size) {
+ }
+
+ void *zrealloc(void *ptr, size_t size) {
++ ASSERT_NO_SIZE_OVERFLOW(size);
+ #ifndef HAVE_MALLOC_SIZE
+ void *realptr;
+ #endif
diff --git a/debian/patches/series b/debian/patches/series
index 5acd72d3..37c0e9b7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ debian-packaging/0008-Ensure-we-use-the-modules-for-third-party-libraries.patch
0012-CVE-2019-10192.patch
0013-CVE-2019-10193.patch
0014-CVE-2020-14147.patch
+0015-CVE-2021-21309.patch
--- End Message ---