Bug#983527: buster-pu: package redis/5:5.0.3-4+deb10u3

Thu, 25 Feb 2021 09:54:16 -0800 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Dear stable release managers,

Please consider redis (5:5.0.3-4+deb10u3) for buster:

  redis (5:5.0.3-4+deb10u3) buster; urgency=medium
  .
    * CVE-2021-21309: Fix a series of integer overflow issues on 32-bit systems.
      (Closes: #983446)


The full diff is attached. I am submitting this as a potential s-p-u
due to a request from the Security Team:

  https://bugs.debian.org/983446#27


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

diff --git a/debian/changelog b/debian/changelog
index eae2bf71..c184fefb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+redis (5:5.0.3-4+deb10u3) buster; urgency=medium
+
+  * CVE-2021-21309: Fix a series of integer overflow issues on 32-bit systems.
+    (Closes: #983446)
+
+ -- Chris Lamb <la...@debian.org>  Thu, 25 Feb 2021 17:46:45 +0000
+
 redis (5:5.0.3-4+deb10u2) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/patches/0015-CVE-2021-21309.patch 
b/debian/patches/0015-CVE-2021-21309.patch
new file mode 100644
index 00000000..14cb441c
--- /dev/null
+++ b/debian/patches/0015-CVE-2021-21309.patch
@@ -0,0 +1,139 @@
+From: Chris Lamb <la...@debian.org>
+Date: Thu, 25 Feb 2021 17:44:59 +0000
+Subject: CVE-2021-21309
+
+---
+ src/config.c  | 16 ++++++++--------
+ src/sds.c     |  3 +++
+ src/zmalloc.c | 10 ++++++++++
+ 3 files changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/src/config.c b/src/config.c
+index 9f51bba..cb13818 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -878,10 +878,10 @@ void loadServerConfig(char *filename, char *options) {
+         if (max != LLONG_MAX && ll > max) goto badfmt; \
+         _var = ll;
+ 
+-#define config_set_memory_field(_name,_var) \
++#define config_set_memory_field(_name,_var,min,max) \
+     } else if (!strcasecmp(c->argv[2]->ptr,_name)) { \
+         ll = memtoll(o->ptr,&err); \
+-        if (err || ll < 0) goto badfmt; \
++        if (err || ll < (long long) (min) || ll > (long long) (max)) goto 
badfmt; \
+         _var = ll;
+ 
+ #define config_set_enum_field(_name,_var,_enumvar) \
+@@ -1147,7 +1147,7 @@ void configSetCommand(client *c) {
+     } config_set_numerical_field(
+       
"active-defrag-threshold-upper",server.active_defrag_threshold_upper,0,1000) {
+     } config_set_memory_field(
+-      "active-defrag-ignore-bytes",server.active_defrag_ignore_bytes) {
++      
"active-defrag-ignore-bytes",server.active_defrag_ignore_bytes,0,LONG_MAX) {
+     } config_set_numerical_field(
+       "active-defrag-cycle-min",server.active_defrag_cycle_min,1,99) {
+     } config_set_numerical_field(
+@@ -1243,7 +1243,7 @@ void configSetCommand(client *c) {
+ 
+     /* Memory fields.
+      * config_set_memory_field(name,var) */
+-    } config_set_memory_field("maxmemory",server.maxmemory) {
++    } config_set_memory_field("maxmemory",server.maxmemory,0,LONG_MAX) {
+         if (server.maxmemory) {
+             if (server.maxmemory < zmalloc_used_memory()) {
+                 serverLog(LL_WARNING,"WARNING: the new maxmemory value set 
via CONFIG SET is smaller than the current memory usage. This will result in 
key eviction and/or the inability to accept new write commands depending on the 
maxmemory-policy.");
+@@ -1251,12 +1251,12 @@ void configSetCommand(client *c) {
+             freeMemoryIfNeededAndSafe();
+         }
+     } config_set_memory_field(
+-      "proto-max-bulk-len",server.proto_max_bulk_len) {
++      "proto-max-bulk-len",server.proto_max_bulk_len,1024*1024,LONG_MAX/2) {
+     } config_set_memory_field(
+-      "client-query-buffer-limit",server.client_max_querybuf_len) {
+-    } config_set_memory_field("repl-backlog-size",ll) {
++      "client-query-buffer-limit",server.client_max_querybuf_len,0,LONG_MAX) {
++    } config_set_memory_field("repl-backlog-size",ll,0,LONG_MAX) {
+         resizeReplicationBacklog(ll);
+-    } config_set_memory_field("auto-aof-rewrite-min-size",ll) {
++    } config_set_memory_field("auto-aof-rewrite-min-size",ll,0,LONG_MAX) {
+         server.aof_rewrite_min_size = ll;
+ 
+     /* Enumeration fields.
+diff --git a/src/sds.c b/src/sds.c
+index 330c955..25da92f 100644
+--- a/src/sds.c
++++ b/src/sds.c
+@@ -96,6 +96,7 @@ sds sdsnewlen(const void *init, size_t initlen) {
+     int hdrlen = sdsHdrSize(type);
+     unsigned char *fp; /* flags pointer. */
+ 
++    assert(hdrlen+initlen+1 > initlen); /* Catch size_t overflow */
+     sh = s_malloc(hdrlen+initlen+1);
+     if (init==SDS_NOINIT)
+         init = NULL;
+@@ -214,6 +215,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
+     len = sdslen(s);
+     sh = (char*)s-sdsHdrSize(oldtype);
+     newlen = (len+addlen);
++    assert(newlen > len);   /* Catch size_t overflow */
+     if (newlen < SDS_MAX_PREALLOC)
+         newlen *= 2;
+     else
+@@ -227,6 +229,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
+     if (type == SDS_TYPE_5) type = SDS_TYPE_8;
+ 
+     hdrlen = sdsHdrSize(type);
++    assert(hdrlen+newlen+1 > len);  /* Catch size_t overflow */
+     if (oldtype==type) {
+         newsh = s_realloc(sh, hdrlen+newlen+1);
+         if (newsh == NULL) return NULL;
+diff --git a/src/zmalloc.c b/src/zmalloc.c
+index 80e6571..426f79c 100644
+--- a/src/zmalloc.c
++++ b/src/zmalloc.c
+@@ -56,6 +56,12 @@ void zlibc_free(void *ptr) {
+ #endif
+ #endif
+ 
++#if PREFIX_SIZE > 0
++#define ASSERT_NO_SIZE_OVERFLOW(sz) assert((sz) + PREFIX_SIZE > (sz))
++#else
++#define ASSERT_NO_SIZE_OVERFLOW(sz)
++#endif
++
+ /* Explicitly override malloc/free etc when using tcmalloc. */
+ #if defined(USE_TCMALLOC)
+ #define malloc(size) tc_malloc(size)
+@@ -106,6 +112,7 @@ static void zmalloc_default_oom(size_t size) {
+ static void (*zmalloc_oom_handler)(size_t) = zmalloc_default_oom;
+ 
+ void *zmalloc(size_t size) {
++    ASSERT_NO_SIZE_OVERFLOW(size);
+     void *ptr = malloc(size+PREFIX_SIZE);
+ 
+     if (!ptr) zmalloc_oom_handler(size);
+@@ -124,6 +131,7 @@ void *zmalloc(size_t size) {
+  * Currently implemented only for jemalloc. Used for online defragmentation. 
*/
+ #ifdef HAVE_DEFRAG
+ void *zmalloc_no_tcache(size_t size) {
++    ASSERT_NO_SIZE_OVERFLOW(size);
+     void *ptr = mallocx(size+PREFIX_SIZE, MALLOCX_TCACHE_NONE);
+     if (!ptr) zmalloc_oom_handler(size);
+     update_zmalloc_stat_alloc(zmalloc_size(ptr));
+@@ -138,6 +146,7 @@ void zfree_no_tcache(void *ptr) {
+ #endif
+ 
+ void *zcalloc(size_t size) {
++    ASSERT_NO_SIZE_OVERFLOW(size);
+     void *ptr = calloc(1, size+PREFIX_SIZE);
+ 
+     if (!ptr) zmalloc_oom_handler(size);
+@@ -152,6 +161,7 @@ void *zcalloc(size_t size) {
+ }
+ 
+ void *zrealloc(void *ptr, size_t size) {
++    ASSERT_NO_SIZE_OVERFLOW(size);
+ #ifndef HAVE_MALLOC_SIZE
+     void *realptr;
+ #endif
diff --git a/debian/patches/series b/debian/patches/series
index 5acd72d3..37c0e9b7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ 
debian-packaging/0008-Ensure-we-use-the-modules-for-third-party-libraries.patch
 0012-CVE-2019-10192.patch
 0013-CVE-2019-10193.patch
 0014-CVE-2020-14147.patch
+0015-CVE-2021-21309.patch

Reply via email to