[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1107747: marked as done (unblock: valkey/8.1.1+dfsg1-2)

Your message dated Fri, 13 Jun 2025 20:41:52 +0000
with message-id <E1uQBDk-00HKEI-0E@respighi.debian.org>
and subject line unblock valkey
has caused the Debian Bug report #1107747,
regarding unblock: valkey/8.1.1+dfsg1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107747
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Control: affects -1 + src:valkey
X-Debbugs-Cc: valkey@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package valkey

[ Reason ]
This version contains a fix for CVE-2025-49112.

[ Impact ]
There will be a security vulnerability affecting users (although not
high severity).

[ Tests ]
The upstream tests are passing.

[ Risks ]
The patch is one liner and it was well tested by upstream and users
(#1107210). The risk of a regression is pretty low IMHO.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock valkey/8.1.1+dfsg1-2

diff -Nru valkey-8.1.1+dfsg1/debian/changelog valkey-8.1.1+dfsg1/debian/changelog
--- valkey-8.1.1+dfsg1/debian/changelog	2025-06-09 05:47:39.000000000 -0300
+++ valkey-8.1.1+dfsg1/debian/changelog	2025-06-12 14:42:42.000000000 -0300
@@ -1,3 +1,12 @@
+valkey (8.1.1+dfsg1-2) unstable; urgency=medium
+
+  * Fix CVE-2025-49112 (Closes: #1107210)
+    setDeferredReply in networking.c in Valkey through 8.1.1 has an integer
+    underflow for prev->size - prev->used.
+    - d/p/CVE-2025-49112.patch
+
+ -- Lucas Kanashiro <kanashiro@debian.org>  Thu, 12 Jun 2025 14:42:42 -0300
+
 valkey (8.1.1+dfsg1-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch
--- valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch	1969-12-31 21:00:00.000000000 -0300
+++ valkey-8.1.1+dfsg1/debian/patches/CVE-2025-49112.patch	2025-06-12 14:40:26.000000000 -0300
@@ -0,0 +1,49 @@
+From: Zeroday BYTE <github@zerodaysec.org>
+Date: Mon, 26 May 2025 18:57:00 +0700
+Subject: Fix unsigned difference expression compared to zero (#2101)
+
+https://github.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886-L886
+
+Fix the issue need to ensure that the subtraction `prev->size -
+prev->used` does not underflow. This can be achieved by explicitly
+checking that `prev->used` is less than `prev->size` before performing
+the subtraction. This approach avoids relying on unsigned arithmetic and
+ensures the logic is clear and robust.
+
+The specific changes are:
+1. Replace the condition `prev->size - prev->used > 0` with `prev->used
+< prev->size`.
+2. This change ensures that the logic checks whether there is remaining
+space in the buffer without risking underflow.
+
+**References**
+[INT02-C. Understand integer conversion
+rules](https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules)
+[CWE-191](https://cwe.mitre.org/data/definitions/191.html)
+
+---
+
+Signed-off-by: Zeroday BYTE <github@zerodaysec.org>
+
+Reviewed-By: Trupti <trupti@linux.ibm.com>,
+             Lucas Kanashiro <kanashiro@debian.org>
+Origin: upstream, https://github.com/valkey-io/valkey/commit/374718b2a365ca
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107210
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-49112
+---
+ src/networking.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/networking.c b/src/networking.c
+index 8d0af29..0b54308 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -859,7 +859,7 @@ void setDeferredReply(client *c, void *node, const char *s, size_t length) {
+      * - It has enough room already allocated
+      * - And not too large (avoid large memmove)
+      * - And the client is not in a pending I/O state */
+-    if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->size - prev->used > 0 &&
++    if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->used < prev->size &&
+         c->io_write_state != CLIENT_PENDING_IO) {
+         size_t len_to_copy = prev->size - prev->used;
+         if (len_to_copy > length) len_to_copy = length;
diff -Nru valkey-8.1.1+dfsg1/debian/patches/series valkey-8.1.1+dfsg1/debian/patches/series
--- valkey-8.1.1+dfsg1/debian/patches/series	2025-06-09 05:47:39.000000000 -0300
+++ valkey-8.1.1+dfsg1/debian/patches/series	2025-06-12 14:40:26.000000000 -0300
@@ -4,3 +4,4 @@
 0003-Use-get_current_dir_name-over-PATHMAX.patch
 0004-Add-support-for-USE_SYSTEM_JEMALLOC-flag.patch
 0005-Incorporate-Redis-CVE-for-CVE-2025-27151-2146.patch
+CVE-2025-49112.patch

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Unblocked valkey.

--- End Message ---
Reply to: