[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#983527: marked as done (buster-pu: package redis/5:5.0.3-4+deb10u3)

Your message dated Sat, 27 Mar 2021 10:26:45 +0000
with message-id <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.9 point release
has caused the Debian Bug report #983527,
regarding buster-pu: package redis/5:5.0.3-4+deb10u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
983527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983527
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear stable release managers,

Please consider redis (5:5.0.3-4+deb10u3) for buster:

  redis (5:5.0.3-4+deb10u3) buster; urgency=medium
  .
    * CVE-2021-21309: Fix a series of integer overflow issues on 32-bit systems.
      (Closes: #983446)


The full diff is attached. I am submitting this as a potential s-p-u
due to a request from the Security Team:

  https://bugs.debian.org/983446#27


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

diff --git a/debian/changelog b/debian/changelog
index eae2bf71..c184fefb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+redis (5:5.0.3-4+deb10u3) buster; urgency=medium
+
+  * CVE-2021-21309: Fix a series of integer overflow issues on 32-bit systems.
+    (Closes: #983446)
+
+ -- Chris Lamb <lamby@debian.org>  Thu, 25 Feb 2021 17:46:45 +0000
+
 redis (5:5.0.3-4+deb10u2) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/patches/0015-CVE-2021-21309.patch b/debian/patches/0015-CVE-2021-21309.patch
new file mode 100644
index 00000000..14cb441c
--- /dev/null
+++ b/debian/patches/0015-CVE-2021-21309.patch
@@ -0,0 +1,139 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Thu, 25 Feb 2021 17:44:59 +0000
+Subject: CVE-2021-21309
+
+---
+ src/config.c  | 16 ++++++++--------
+ src/sds.c     |  3 +++
+ src/zmalloc.c | 10 ++++++++++
+ 3 files changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/src/config.c b/src/config.c
+index 9f51bba..cb13818 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -878,10 +878,10 @@ void loadServerConfig(char *filename, char *options) {
+         if (max != LLONG_MAX && ll > max) goto badfmt; \
+         _var = ll;
+ 
+-#define config_set_memory_field(_name,_var) \
++#define config_set_memory_field(_name,_var,min,max) \
+     } else if (!strcasecmp(c->argv[2]->ptr,_name)) { \
+         ll = memtoll(o->ptr,&err); \
+-        if (err || ll < 0) goto badfmt; \
++        if (err || ll < (long long) (min) || ll > (long long) (max)) goto badfmt; \
+         _var = ll;
+ 
+ #define config_set_enum_field(_name,_var,_enumvar) \
+@@ -1147,7 +1147,7 @@ void configSetCommand(client *c) {
+     } config_set_numerical_field(
+       "active-defrag-threshold-upper",server.active_defrag_threshold_upper,0,1000) {
+     } config_set_memory_field(
+-      "active-defrag-ignore-bytes",server.active_defrag_ignore_bytes) {
++      "active-defrag-ignore-bytes",server.active_defrag_ignore_bytes,0,LONG_MAX) {
+     } config_set_numerical_field(
+       "active-defrag-cycle-min",server.active_defrag_cycle_min,1,99) {
+     } config_set_numerical_field(
+@@ -1243,7 +1243,7 @@ void configSetCommand(client *c) {
+ 
+     /* Memory fields.
+      * config_set_memory_field(name,var) */
+-    } config_set_memory_field("maxmemory",server.maxmemory) {
++    } config_set_memory_field("maxmemory",server.maxmemory,0,LONG_MAX) {
+         if (server.maxmemory) {
+             if (server.maxmemory < zmalloc_used_memory()) {
+                 serverLog(LL_WARNING,"WARNING: the new maxmemory value set via CONFIG SET is smaller than the current memory usage. This will result in key eviction and/or the inability to accept new write commands depending on the maxmemory-policy.");
+@@ -1251,12 +1251,12 @@ void configSetCommand(client *c) {
+             freeMemoryIfNeededAndSafe();
+         }
+     } config_set_memory_field(
+-      "proto-max-bulk-len",server.proto_max_bulk_len) {
++      "proto-max-bulk-len",server.proto_max_bulk_len,1024*1024,LONG_MAX/2) {
+     } config_set_memory_field(
+-      "client-query-buffer-limit",server.client_max_querybuf_len) {
+-    } config_set_memory_field("repl-backlog-size",ll) {
++      "client-query-buffer-limit",server.client_max_querybuf_len,0,LONG_MAX) {
++    } config_set_memory_field("repl-backlog-size",ll,0,LONG_MAX) {
+         resizeReplicationBacklog(ll);
+-    } config_set_memory_field("auto-aof-rewrite-min-size",ll) {
++    } config_set_memory_field("auto-aof-rewrite-min-size",ll,0,LONG_MAX) {
+         server.aof_rewrite_min_size = ll;
+ 
+     /* Enumeration fields.
+diff --git a/src/sds.c b/src/sds.c
+index 330c955..25da92f 100644
+--- a/src/sds.c
++++ b/src/sds.c
+@@ -96,6 +96,7 @@ sds sdsnewlen(const void *init, size_t initlen) {
+     int hdrlen = sdsHdrSize(type);
+     unsigned char *fp; /* flags pointer. */
+ 
++    assert(hdrlen+initlen+1 > initlen); /* Catch size_t overflow */
+     sh = s_malloc(hdrlen+initlen+1);
+     if (init==SDS_NOINIT)
+         init = NULL;
+@@ -214,6 +215,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
+     len = sdslen(s);
+     sh = (char*)s-sdsHdrSize(oldtype);
+     newlen = (len+addlen);
++    assert(newlen > len);   /* Catch size_t overflow */
+     if (newlen < SDS_MAX_PREALLOC)
+         newlen *= 2;
+     else
+@@ -227,6 +229,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
+     if (type == SDS_TYPE_5) type = SDS_TYPE_8;
+ 
+     hdrlen = sdsHdrSize(type);
++    assert(hdrlen+newlen+1 > len);  /* Catch size_t overflow */
+     if (oldtype==type) {
+         newsh = s_realloc(sh, hdrlen+newlen+1);
+         if (newsh == NULL) return NULL;
+diff --git a/src/zmalloc.c b/src/zmalloc.c
+index 80e6571..426f79c 100644
+--- a/src/zmalloc.c
++++ b/src/zmalloc.c
+@@ -56,6 +56,12 @@ void zlibc_free(void *ptr) {
+ #endif
+ #endif
+ 
++#if PREFIX_SIZE > 0
++#define ASSERT_NO_SIZE_OVERFLOW(sz) assert((sz) + PREFIX_SIZE > (sz))
++#else
++#define ASSERT_NO_SIZE_OVERFLOW(sz)
++#endif
++
+ /* Explicitly override malloc/free etc when using tcmalloc. */
+ #if defined(USE_TCMALLOC)
+ #define malloc(size) tc_malloc(size)
+@@ -106,6 +112,7 @@ static void zmalloc_default_oom(size_t size) {
+ static void (*zmalloc_oom_handler)(size_t) = zmalloc_default_oom;
+ 
+ void *zmalloc(size_t size) {
++    ASSERT_NO_SIZE_OVERFLOW(size);
+     void *ptr = malloc(size+PREFIX_SIZE);
+ 
+     if (!ptr) zmalloc_oom_handler(size);
+@@ -124,6 +131,7 @@ void *zmalloc(size_t size) {
+  * Currently implemented only for jemalloc. Used for online defragmentation. */
+ #ifdef HAVE_DEFRAG
+ void *zmalloc_no_tcache(size_t size) {
++    ASSERT_NO_SIZE_OVERFLOW(size);
+     void *ptr = mallocx(size+PREFIX_SIZE, MALLOCX_TCACHE_NONE);
+     if (!ptr) zmalloc_oom_handler(size);
+     update_zmalloc_stat_alloc(zmalloc_size(ptr));
+@@ -138,6 +146,7 @@ void zfree_no_tcache(void *ptr) {
+ #endif
+ 
+ void *zcalloc(size_t size) {
++    ASSERT_NO_SIZE_OVERFLOW(size);
+     void *ptr = calloc(1, size+PREFIX_SIZE);
+ 
+     if (!ptr) zmalloc_oom_handler(size);
+@@ -152,6 +161,7 @@ void *zcalloc(size_t size) {
+ }
+ 
+ void *zrealloc(void *ptr, size_t size) {
++    ASSERT_NO_SIZE_OVERFLOW(size);
+ #ifndef HAVE_MALLOC_SIZE
+     void *realptr;
+ #endif
diff --git a/debian/patches/series b/debian/patches/series
index 5acd72d3..37c0e9b7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ debian-packaging/0008-Ensure-we-use-the-modules-for-third-party-libraries.patch
 0012-CVE-2019-10192.patch
 0013-CVE-2019-10193.patch
 0014-CVE-2020-14147.patch
+0015-CVE-2021-21309.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.9

Hi,

Each of the updates referenced in these bugs was included in the 10.9
point release today.

Regards,

Adam

--- End Message ---
Reply to: