Bug#1107747: unblock: valkey/8.1.1+dfsg1-2

To: submit@bugs.debian.org
Subject: Bug#1107747: unblock: valkey/8.1.1+dfsg1-2
From: Lucas Kanashiro <kanashiro@debian.org>
Date: Fri, 13 Jun 2025 14:03:33 -0300
Message-id: <[🔎] 02cceffc923f38420029ca8c200344046fce54bf.camel@debian.org>
Reply-to: Lucas Kanashiro <kanashiro@debian.org>, 1107747@bugs.debian.org

Package: release.debian.org
Control: affects -1 + src:valkey
X-Debbugs-Cc: valkey@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package valkey

[ Reason ]
This version contains a fix for CVE-2025-49112.

[ Impact ]
There will be a security vulnerability affecting users (although not
high severity).

[ Tests ]
The upstream tests are passing.

[ Risks ]
The patch is one liner and it was well tested by upstream and users
(#1107210). The risk of a regression is pretty low IMHO.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock valkey/8.1.1+dfsg1-2

diff -Nru valkey-8.1.1+dfsg1/debian/changelog valkey-8.1.1+dfsg1/debian/changelog
--- valkey-8.1.1+dfsg1/debian/changelog	2025-06-09 05:47:39.000000000 -0300
+++ valkey-8.1.1+dfsg1/debian/changelog	2025-06-12 14:42:42.000000000 -0300
@@ -1,3 +1,12 @@
+valkey (8.1.1+dfsg1-2) unstable; urgency=medium
+
+  * Fix CVE-2025-49112 (Closes: #1107210)
+    setDeferredReply in networking.c in Valkey through 8.1.1 has an integer
+    underflow for prev->size - prev->used.
+    - d/p/CVE-2025-49112.patch
+
+ -- Lucas Kanashiro <kanashiro@debian.org>  Thu, 12 Jun 2025 14:42:42 -0300
+
 valkey (8.1.1+dfsg1-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch
--- valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch	1969-12-31 21:00:00.000000000 -0300
+++ valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch	2025-06-12 14:40:26.000000000 -0300
@@ -0,0 +1,49 @@
+From: Zeroday BYTE <github@zerodaysec.org>
+Date: Mon, 26 May 2025 18:57:00 +0700
+Subject: Fix unsigned difference expression compared to zero (#2101)
+
+https://github.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886-L886
+
+Fix the issue need to ensure that the subtraction `prev->size -
+prev->used` does not underflow. This can be achieved by explicitly
+checking that `prev->used` is less than `prev->size` before performing
+the subtraction. This approach avoids relying on unsigned arithmetic and
+ensures the logic is clear and robust.
+
+The specific changes are:
+1. Replace the condition `prev->size - prev->used > 0` with `prev->used
+< prev->size`.
+2. This change ensures that the logic checks whether there is remaining
+space in the buffer without risking underflow.
+
+**References**
+[INT02-C. Understand integer conversion
+rules](https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules)
+[CWE-191](https://cwe.mitre.org/data/definitions/191.html)
+
+---
+
+Signed-off-by: Zeroday BYTE <github@zerodaysec.org>
+
+Reviewed-By: Trupti <trupti@linux.ibm.com>,
+             Lucas Kanashiro <kanashiro@debian.org>
+Origin: upstream, https://github.com/valkey-io/valkey/commit/374718b2a365ca
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107210
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-49112
+---
+ src/networking.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/networking.c b/src/networking.c
+index 8d0af29..0b54308 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -859,7 +859,7 @@ void setDeferredReply(client *c, void *node, const char *s, size_t length) {
+      * - It has enough room already allocated
+      * - And not too large (avoid large memmove)
+      * - And the client is not in a pending I/O state */
+-    if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->size - prev->used > 0 &&
++    if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->used < prev->size &&
+         c->io_write_state != CLIENT_PENDING_IO) {
+         size_t len_to_copy = prev->size - prev->used;
+         if (len_to_copy > length) len_to_copy = length;
diff -Nru valkey-8.1.1+dfsg1/debian/patches/series valkey-8.1.1+dfsg1/debian/patches/series
--- valkey-8.1.1+dfsg1/debian/patches/series	2025-06-09 05:47:39.000000000 -0300
+++ valkey-8.1.1+dfsg1/debian/patches/series	2025-06-12 14:40:26.000000000 -0300
@@ -4,3 +4,4 @@
 0003-Use-get_current_dir_name-over-PATHMAX.patch
 0004-Add-support-for-USE_SYSTEM_JEMALLOC-flag.patch
 0005-Incorporate-Redis-CVE-for-CVE-2025-27151-2146.patch
+CVE-2025-49112.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Processed: unblock: valkey/8.1.1+dfsg1-2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1107747: marked as done (unblock: valkey/8.1.1+dfsg1-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: valkey/8.1.1+dfsg1-2
Next by Date: Bug#1107726: unblock: pytorch{,-cuda}/2.6.0+dfsg-8 (pre-approval)
Previous by thread: Bug#1107735: marked as done (unblock: cron/3.0pl1-197)
Next by thread: Processed: unblock: valkey/8.1.1+dfsg1-2
Index(es):
- Date
- Thread