[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1105008: marked as done (bookworm-pu: package redis/5:7.0.15-1~deb12u4)

Your message dated Sat, 17 May 2025 09:37:58 +0000
with message-id <E1uGDzS-005KJd-OH@coccia.debian.org>
and subject line Close 1105008
has caused the Debian Bug report #1105008,
regarding bookworm-pu: package redis/5:7.0.15-1~deb12u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1105008: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105008
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Chris Lamb <lamby@debian.org>

  * CVE-2025-21605: Limit output buffer for unauthenticated clients
    (Closes: #1104010)

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.

diffstat for redis-7.0.15 redis-7.0.15

 changelog                                                               |    8 +
 patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch |   60 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 69 insertions(+)

diff -Nru redis-7.0.15/debian/changelog redis-7.0.15/debian/changelog
--- redis-7.0.15/debian/changelog	2025-01-19 12:41:08.000000000 +0200
+++ redis-7.0.15/debian/changelog	2025-05-09 19:15:20.000000000 +0300
@@ -1,3 +1,11 @@
+redis (5:7.0.15-1~deb12u4) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-21605: Limit output buffer for unauthenticated clients
+    (Closes: #1104010)
+
+ -- Adrian Bunk <bunk@debian.org>  Fri, 09 May 2025 19:15:20 +0300
+
 redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium
 
   * Non-maintainer upload.
diff -Nru redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
--- redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch	1970-01-01 02:00:00.000000000 +0200
+++ redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch	2025-05-09 19:14:31.000000000 +0300
@@ -0,0 +1,60 @@
+From 81f549f61799175bca3b126f749a8891832dd187 Mon Sep 17 00:00:00 2001
+From: YaacovHazan <yaacov.hazan@redis.com>
+Date: Wed, 23 Apr 2025 08:09:40 +0000
+Subject: Limiting output buffer for unauthenticated client (CVE-2025-21605)
+
+For unauthenticated clients the output buffer is limited to prevent
+them from abusing it by not reading the replies
+---
+ src/networking.c    |  5 +++++
+ tests/unit/auth.tcl | 18 ++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/src/networking.c b/src/networking.c
+index 90cc64d70..386773eee 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -3757,6 +3757,11 @@ int checkClientOutputBufferLimits(client *c) {
+     int soft = 0, hard = 0, class;
+     unsigned long used_mem = getClientOutputBufferMemoryUsage(c);
+ 
++    /* For unauthenticated clients the output buffer is limited to prevent
++     * them from abusing it by not reading the replies */
++    if (used_mem > 1024 && authRequired(c))
++        return 1;
++
+     class = getClientType(c);
+     /* For the purpose of output buffer limiting, masters are handled
+      * like normal clients. */
+diff --git a/tests/unit/auth.tcl b/tests/unit/auth.tcl
+index 26d125579..24b386228 100644
+--- a/tests/unit/auth.tcl
++++ b/tests/unit/auth.tcl
+@@ -45,6 +45,24 @@ start_server {tags {"auth external:skip"} overrides {requirepass foobar}} {
+         assert_match {*unauthenticated bulk length*} $e
+         $rr close
+     }
++
++    test {For unauthenticated clients output buffer is limited} {
++        set rr [redis [srv "host"] [srv "port"] 1 $::tls]
++        $rr SET x 5
++        catch {[$rr read]} e
++        assert_match {*NOAUTH Authentication required*} $e
++
++        # Fill the output buffer in a loop without reading it and make
++        # sure the client disconnected.
++        # Considering the socket eat some of the replies, we are testing
++        # that such client can't consume more than few MB's.
++        catch {
++            for {set j 0} {$j < 1000000} {incr j} {
++                    $rr SET x 5
++            }
++        } e
++        assert_match {I/O error reading reply} $e
++    }
+ }
+ 
+ start_server {tags {"auth_binary_password external:skip"}} {
+-- 
+2.30.2
+
diff -Nru redis-7.0.15/debian/patches/series redis-7.0.15/debian/patches/series
--- redis-7.0.15/debian/patches/series	2025-01-19 00:28:16.000000000 +0200
+++ redis-7.0.15/debian/patches/series	2025-05-09 19:15:07.000000000 +0300
@@ -6,3 +6,4 @@
 0001-Apply-security-fixes-for-CVEs-1113.patch
 0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch
 0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch
+0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch

--- End Message ---
--- Begin Message --- 
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---
Reply to: