From patchwork Mon Mar  1 14:37:00 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Titouan Christophe <titouanchristophe@gmail.com>
X-Patchwork-Id: 1445627
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.137; helo=smtp4.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=b26AHRAz;
	dkim-atps=neutral
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Dq2sW61sXz9sR4
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Tue,  2 Mar 2021 01:37:19 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id 7D6CF4EDF9;
	Mon,  1 Mar 2021 14:37:17 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id zUu6lNw4NiaG; Mon,  1 Mar 2021 14:37:16 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by smtp4.osuosl.org (Postfix) with ESMTP id 742904EED6;
	Mon,  1 Mar 2021 14:37:15 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by ash.osuosl.org (Postfix) with ESMTP id 58CF21BF361
 for <buildroot@lists.busybox.net>; Mon,  1 Mar 2021 14:37:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 55B44831DA
 for <buildroot@lists.busybox.net>; Mon,  1 Mar 2021 14:37:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Authentication-Results: smtp1.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id lM_Pgo4-bdBI for <buildroot@lists.busybox.net>;
 Mon,  1 Mar 2021 14:37:13 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com
 [209.85.208.46])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 43B4E81836
 for <buildroot@buildroot.org>; Mon,  1 Mar 2021 14:37:13 +0000 (UTC)
Received: by mail-ed1-f46.google.com with SMTP id s8so21040207edd.5
 for <buildroot@buildroot.org>; Mon, 01 Mar 2021 06:37:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=+JAzir2ZGMPsP/OA59SuXT5SCan/y3+FDrJKinetFY4=;
 b=b26AHRAzyD5+VAEEO7UoJAWSwdCDD8SC/EJ88QXL8jDoSS8xdyNEkJ3+jEzmxEWL7l
 HmeTr2N7ZIp7hDQ/eUxMJjrReVebu8zFq0a9gHBqWu6vBCZKfxtZPvuSBkBJFV5xMStw
 qfjgI5e6iaXryvqumQtsGbbmsYXO+ETw92YSwRyDScMvgIj+S9mkCl6wDqz6neNOYLmW
 OTEU7y7m+6Aq23p5msEoTMG3j+jZw3mnRndOgiGWVeNs4B+k0RwgOvTmpMGGTmhOs7QD
 3Z4kBGReyrwwXKLz7Wa8+HCWyT4AnCTaS24LxtzazI220rvU1kMzNdODIzpT3jswKEbL
 RqEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=+JAzir2ZGMPsP/OA59SuXT5SCan/y3+FDrJKinetFY4=;
 b=RiVh06cwScYQ0hP8wTEPe/YMRlCrh9sApGiBR3NQTMe74jJCHlBUoPXBXkONZkO9mT
 nMy7hQqg6C87O76MGXLHhTPxvz0ly88IQiqGS9SuYg5yxpQ1VXU0CDzOH7ErBqla36pu
 xXJFBQ7PRjAI6kUx1+YVJmH8gpcG5tcS/7KywKwAe+5HdgtW9aJpOYQVpubncry90TxS
 vL2RIWbn6XLXOluCl010kME+tJyQIDOODDe6W8hIYIzHpzDDUee1QaNB3ECaKkjIlyJP
 qpESpkaZz58RZiw7tUW9yV0Pfr1+F47cbXN3Y0QVamd+sWIOTAoxWuqqUl4jCJbo605+
 Eogg==
X-Gm-Message-State: AOAM532Xix64P7tkCIxPLmjcwuySUvMkuBH/w9tWpxXsgJ0VKgD17/a2
 adjlJNLMDGkArekzIStJ7G+f9qzORzAhuw==
X-Google-Smtp-Source: 
 ABdhPJxrpxRJH7Dw3RoFZqJeSY2AXTRKj0+FYvsl8dMqB+OMM7t7Tmp4C5i8aGbeuezAd0+q6C8XTQ==
X-Received: by 2002:a50:bf47:: with SMTP id g7mr16381386edk.323.1614609431516;
 Mon, 01 Mar 2021 06:37:11 -0800 (PST)
Received: from smartron.home ([2a02:a03f:63d3:7700:5fb9:2a66:a7a8:378f])
 by smtp.gmail.com with ESMTPSA id y20sm14778741edc.84.2021.03.01.06.37.10
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 01 Mar 2021 06:37:10 -0800 (PST)
From: Titouan Christophe <titouanchristophe@gmail.com>
To: buildroot@buildroot.org
Date: Mon,  1 Mar 2021 15:37:00 +0100
Message-Id: <20210301143700.253226-1-titouanchristophe@gmail.com>
X-Mailer: git-send-email 2.25.3
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/1] package/redis: security bump to v6.2.0
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Titouan Christophe <titouanchristophe@gmail.com>,
 Daniel Price <daniel.price@gmail.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

This version also needs a patch from upstream to compile on musl systems.

From the release notes:
================================================================================
Redis 6.2.0 GA  Released Tue Feb 22 14:00:00 IST 2021
================================================================================

Upgrade urgency: SECURITY if you use 32bit build of redis (see bellow), MODERATE
if you used earlier versions of Redis 6.2, LOW otherwise.

Integer overflow on 32-bit systems (CVE-2021-21309):
Redis 4.0 or newer uses a configurable limit for the maximum supported bulk
input size. By default, it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a large request from a client
may trigger several integer overflow scenarios, which would result with buffer
overflow and heap corruption.

Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
---
 ...pile-errors-with-no-HAVE_MALLOC_SIZE.patch | 45 +++++++++++++++++++
 package/redis/redis.hash                      |  2 +-
 package/redis/redis.mk                        |  2 +-
 3 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 package/redis/0004-fix-compile-errors-with-no-HAVE_MALLOC_SIZE.patch

diff --git a/package/redis/0004-fix-compile-errors-with-no-HAVE_MALLOC_SIZE.patch b/package/redis/0004-fix-compile-errors-with-no-HAVE_MALLOC_SIZE.patch
new file mode 100644
index 0000000000..c6b2fc96f6
--- /dev/null
+++ b/package/redis/0004-fix-compile-errors-with-no-HAVE_MALLOC_SIZE.patch
@@ -0,0 +1,45 @@
+From cdfa9601d7b374b3ef6859a4c093046ad331f903 Mon Sep 17 00:00:00 2001
+From: Yossi Gottlieb <yossigo@gmail.com>
+Date: Tue, 23 Feb 2021 13:26:24 +0200
+Subject: [PATCH] Fix compile errors with no HAVE_MALLOC_SIZE.
+
+Fixes #8531
+
+[Backported from https://github.com/redis/redis/pull/8533/commits/cdfa9601d7b374b3ef6859a4c093046ad331f903]
+Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
+---
+ src/zmalloc.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/zmalloc.c b/src/zmalloc.c
+index c8d6c825f83..fbac0961623 100644
+--- a/src/zmalloc.c
++++ b/src/zmalloc.c
+@@ -32,6 +32,7 @@
+ #include <stdlib.h>
+ #include <stdint.h>
+ #include <unistd.h>
++#include <assert.h>
+ 
+ /* This function provide us access to the original libc free(). This is useful
+  * for instance to free results obtained by backtrace_symbols(). We need
+@@ -49,18 +50,14 @@ void zlibc_free(void *ptr) {
+ 
+ #ifdef HAVE_MALLOC_SIZE
+ #define PREFIX_SIZE (0)
++#define ASSERT_NO_SIZE_OVERFLOW(sz)
+ #else
+ #if defined(__sun) || defined(__sparc) || defined(__sparc__)
+ #define PREFIX_SIZE (sizeof(long long))
+ #else
+ #define PREFIX_SIZE (sizeof(size_t))
+ #endif
+-#endif
+-
+-#if PREFIX_SIZE > 0
+ #define ASSERT_NO_SIZE_OVERFLOW(sz) assert((sz) + PREFIX_SIZE > (sz))
+-#else
+-#define ASSERT_NO_SIZE_OVERFLOW(sz)
+ #endif
+ 
+ /* Explicitly override malloc/free etc when using tcmalloc. */
diff --git a/package/redis/redis.hash b/package/redis/redis.hash
index b72605013e..8bce9a17fd 100644
--- a/package/redis/redis.hash
+++ b/package/redis/redis.hash
@@ -1,5 +1,5 @@
 # From https://github.com/redis/redis-hashes/blob/master/README
-sha256  79bbb894f9dceb33ca699ee3ca4a4e1228be7fb5547aeb2f99d921e86c1285bd  redis-6.0.10.tar.gz
+sha256  67d624c25d962bd68aff8812a135df85bad07556b8825f3bcd5b522a9932dbca  redis-6.2.0.tar.gz
 
 # Locally calculated
 sha256  97f0a15b7bbae580d2609dad2e11f1956ae167be296ab60f4691ab9c30ee9828  COPYING
diff --git a/package/redis/redis.mk b/package/redis/redis.mk
index 96132ae962..dace3eff55 100644
--- a/package/redis/redis.mk
+++ b/package/redis/redis.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-REDIS_VERSION = 6.0.10
+REDIS_VERSION = 6.2.0
 REDIS_SITE = http://download.redis.io/releases
 REDIS_LICENSE = BSD-3-Clause (core); MIT and BSD family licenses (Bundled components)
 REDIS_LICENSE_FILES = COPYING