From 4d2e143b15fdc8f316a1eef5a8b1053981f6d256 Mon Sep 17 00:00:00 2001 From: CoprDistGit Date: Fri, 9 Jun 2023 08:41:05 +0000 Subject: automatic import of redis --- CVE-2021-29478.patch | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 CVE-2021-29478.patch (limited to 'CVE-2021-29478.patch') diff --git a/CVE-2021-29478.patch b/CVE-2021-29478.patch new file mode 100644 index 0000000..c7002c2 --- /dev/null +++ b/CVE-2021-29478.patch @@ -0,0 +1,35 @@ +From ef78ba0a7793a0b6be026ec77ef3c7e919efa08a Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Mon, 3 May 2021 08:27:22 +0300 +Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478) + +An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and +potentially result with remote code execution. + +The vulnerability involves changing the default set-max-intset-entries +configuration value, creating a large set key that consists of integer values +and using the COPY command to duplicate it. + +The integer overflow bug exists in all versions of Redis starting with 2.6, +where it could result with a corrupted RDB or DUMP payload, but not exploited +through COPY (which did not exist before 6.2). +--- + src/intset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/intset.c b/src/intset.c +index 198c90a..8d35536 100644 +--- a/src/intset.c ++++ b/src/intset.c +@@ -278,7 +278,7 @@ uint32_t intsetLen(const intset *is) { + + /* Return intset blob size in bytes. */ + size_t intsetBlobLen(intset *is) { +- return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding); ++ return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding); + } + + #ifdef REDIS_TEST +-- +2.23.0 + -- cgit v1.2.3