Bug#1105008: bookworm-pu: package redis/5:7.0.15-1~deb12u4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1105008: bookworm-pu: package redis/5:7.0.15-1~deb12u4
From: Adrian Bunk <bunk@debian.org>
Date: Fri, 09 May 2025 23:57:29 +0300
Message-id: <[🔎] 174682424928.3906007.16542020753461489636.reportbug@localhost>
Reply-to: Adrian Bunk <bunk@debian.org>, 1105008@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Chris Lamb <lamby@debian.org>

  * CVE-2025-21605: Limit output buffer for unauthenticated clients
    (Closes: #1104010)

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.

diffstat for redis-7.0.15 redis-7.0.15

 changelog                                                               |    8 +
 patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch |   60 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 69 insertions(+)

diff -Nru redis-7.0.15/debian/changelog redis-7.0.15/debian/changelog
--- redis-7.0.15/debian/changelog	2025-01-19 12:41:08.000000000 +0200
+++ redis-7.0.15/debian/changelog	2025-05-09 19:15:20.000000000 +0300
@@ -1,3 +1,11 @@
+redis (5:7.0.15-1~deb12u4) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-21605: Limit output buffer for unauthenticated clients
+    (Closes: #1104010)
+
+ -- Adrian Bunk <bunk@debian.org>  Fri, 09 May 2025 19:15:20 +0300
+
 redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium
 
   * Non-maintainer upload.
diff -Nru redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
--- redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch	1970-01-01 02:00:00.000000000 +0200
+++ redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch	2025-05-09 19:14:31.000000000 +0300
@@ -0,0 +1,60 @@
+From 81f549f61799175bca3b126f749a8891832dd187 Mon Sep 17 00:00:00 2001
+From: YaacovHazan <yaacov.hazan@redis.com>
+Date: Wed, 23 Apr 2025 08:09:40 +0000
+Subject: Limiting output buffer for unauthenticated client (CVE-2025-21605)
+
+For unauthenticated clients the output buffer is limited to prevent
+them from abusing it by not reading the replies
+---
+ src/networking.c    |  5 +++++
+ tests/unit/auth.tcl | 18 ++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/src/networking.c b/src/networking.c
+index 90cc64d70..386773eee 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -3757,6 +3757,11 @@ int checkClientOutputBufferLimits(client *c) {
+     int soft = 0, hard = 0, class;
+     unsigned long used_mem = getClientOutputBufferMemoryUsage(c);
+ 
++    /* For unauthenticated clients the output buffer is limited to prevent
++     * them from abusing it by not reading the replies */
++    if (used_mem > 1024 && authRequired(c))
++        return 1;
++
+     class = getClientType(c);
+     /* For the purpose of output buffer limiting, masters are handled
+      * like normal clients. */
+diff --git a/tests/unit/auth.tcl b/tests/unit/auth.tcl
+index 26d125579..24b386228 100644
+--- a/tests/unit/auth.tcl
++++ b/tests/unit/auth.tcl
+@@ -45,6 +45,24 @@ start_server {tags {"auth external:skip"} overrides {requirepass foobar}} {
+         assert_match {*unauthenticated bulk length*} $e
+         $rr close
+     }
++
++    test {For unauthenticated clients output buffer is limited} {
++        set rr [redis [srv "host"] [srv "port"] 1 $::tls]
++        $rr SET x 5
++        catch {[$rr read]} e
++        assert_match {*NOAUTH Authentication required*} $e
++
++        # Fill the output buffer in a loop without reading it and make
++        # sure the client disconnected.
++        # Considering the socket eat some of the replies, we are testing
++        # that such client can't consume more than few MB's.
++        catch {
++            for {set j 0} {$j < 1000000} {incr j} {
++                    $rr SET x 5
++            }
++        } e
++        assert_match {I/O error reading reply} $e
++    }
+ }
+ 
+ start_server {tags {"auth_binary_password external:skip"}} {
+-- 
+2.30.2
+
diff -Nru redis-7.0.15/debian/patches/series redis-7.0.15/debian/patches/series
--- redis-7.0.15/debian/patches/series	2025-01-19 00:28:16.000000000 +0200
+++ redis-7.0.15/debian/patches/series	2025-05-09 19:15:07.000000000 +0300
@@ -6,3 +6,4 @@
 0001-Apply-security-fixes-for-CVEs-1113.patch
 0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch
 0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch
+0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#1105008: bookworm-pu: package redis/5:7.0.15-1~deb12u4
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1105008: bookworm-pu: package redis/5:7.0.15-1~deb12u4
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Processed: Re: Bug#1105008: bookworm-pu: package redis/5:7.0.15-1~deb12u4
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1105008: redis 7.0.15-1~deb12u4 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#1105008: marked as done (bookworm-pu: package redis/5:7.0.15-1~deb12u4)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: Processed: bookworm-pu: package erlang/1:25.2.3+dfsg-1+deb12u2
Previous by thread: Processed: openvpn 2.6.3-1+deb12u3 flagged for acceptance
Next by thread: Processed: Re: Bug#1105008: bookworm-pu: package redis/5:7.0.15-1~deb12u4
Index(es):
- Date
- Thread