Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package valkey for openSUSE:Factory checked in at 2026-05-07 15:43:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/valkey (Old) and /work/SRC/openSUSE:Factory/.valkey.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "valkey" Thu May 7 15:43:16 2026 rev:20 rq:1351188 version:9.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/valkey/valkey.changes 2026-02-26 18:51:46.181318899 +0100 +++ /work/SRC/openSUSE:Factory/.valkey.new.1966/valkey.changes 2026-05-07 15:43:31.635581496 +0200 @@ -1,0 +2,13 @@ +Wed May 6 10:19:33 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 9.0.4: (boo#1264164 boo#1264166 boo#1264165) + Upgrade urgency SECURITY: This release includes security fixes we + recommend you apply as soon as possible. + + - Security fixes + - (CVE-2026-23479) Use-After-Free in unblock client flow + - (CVE-2026-25243) Invalid Memory Access in RESTORE command + - (CVE-2026-23631) Use-after-free when full sync occurs during + a yielding Lua/function execution + +------------------------------------------------------------------- Old: ---- valkey-9.0.3.tar.gz New: ---- valkey-9.0.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ valkey.spec ++++++ --- /var/tmp/diff_new_pack.XSqQqV/_old 2026-05-07 15:43:32.323609339 +0200 +++ /var/tmp/diff_new_pack.XSqQqV/_new 2026-05-07 15:43:32.327609501 +0200 @@ -26,7 +26,7 @@ %global make_flags CFLAGS="%{build_cflags}" DEBUG="" V="echo" PREFIX=%{buildroot}%{_prefix} USE_SYSTEMD=yes BUILD_TLS=yes BUILD_RDMA=yes Name: valkey -Version: 9.0.3 +Version: 9.0.4 Release: 0 Summary: Persistent key-value database License: BSD-3-Clause ++++++ valkey-9.0.3.tar.gz -> valkey-9.0.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/00-RELEASENOTES new/valkey-9.0.4/00-RELEASENOTES --- old/valkey-9.0.3/00-RELEASENOTES 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/00-RELEASENOTES 2026-05-06 05:56:46.000000000 +0200 @@ -11,6 +11,18 @@ | CRITICAL | There is a critical bug affecting MOST USERS. Upgrade ASAP. | | SECURITY | There are security fixes in the release. | +Valkey 9.0.4 - May 5, 2026 +-------------------------- + +Upgrade urgency SECURITY: This release includes security fixes we recommend you +apply as soon as possible. + +### Security fixes + +* (CVE-2026-23479) Use-After-Free in unblock client flow +* (CVE-2026-25243) Invalid Memory Access in RESTORE command +* (CVE-2026-23631) Use-after-free when full sync occurs during a yielding Lua/function execution + Valkey 9.0.3 - February 23, 2026 ------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/src/blocked.c new/valkey-9.0.4/src/blocked.c --- old/valkey-9.0.3/src/blocked.c 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/src/blocked.c 2026-05-06 05:56:46.000000000 +0200 @@ -724,7 +724,13 @@ client *old_client = server.current_client; server.current_client = c; enterExecutionUnit(1, 0); - processCommandAndResetClient(c); + if (processCommandAndResetClient(c) == C_ERR) { + /* Client was freed during command processing, exit immediately */ + exitExecutionUnit(); + server.current_client = old_client; + return; + } + if (!c->flag.blocked) { if (c->flag.module) { moduleCallCommandUnblockedHandler(c); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/src/rdb.c new/valkey-9.0.4/src/rdb.c --- old/valkey-9.0.3/src/rdb.c 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/src/rdb.c 2026-05-06 05:56:46.000000000 +0200 @@ -2359,11 +2359,12 @@ /* search for duplicate records */ sds field = sdstrynewlen(fstr, flen); - if (!field || !hashtableAdd(dupSearchHashtable, field) || - !lpSafeToAdd(lp, (size_t)flen + vlen)) { + if (!field || !lpSafeToAdd(lp, (size_t)flen + vlen) || + !hashtableAdd(dupSearchHashtable, field)) { rdbReportCorruptRDB("Hash zipmap with dup elements, or big length (%u)", flen); hashtableRelease(dupSearchHashtable); sdsfree(field); + lpFree(lp); zfree(encoded); o->ptr = NULL; decrRefCount(o); @@ -2811,7 +2812,6 @@ " loading a stream consumer " "group"); decrRefCount(o); - streamFreeNACK(nack); return NULL; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/src/replication.c new/valkey-9.0.4/src/replication.c --- old/valkey-9.0.3/src/replication.c 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/src/replication.c 2026-05-06 05:56:46.000000000 +0200 @@ -2540,6 +2540,11 @@ /* Asynchronously read the SYNC payload we receive from a primary, parse it, * and load it directly to memory without going through the disk */ void replicaReceiveRDBFromPrimaryToMemory(connection *conn) { + /* During full sync, the functions engine is freed right before loading + * the RDB. To avoid this happening while a function is still running, + * delay full sync processing until it finishes. */ + if (isInsideYieldingLongCommand()) return; + char buf[PROTO_IOBUF_LEN]; int ret; rdbSaveInfo rsi = RDB_SAVE_INFO_INIT; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/src/version.h new/valkey-9.0.4/src/version.h --- old/valkey-9.0.3/src/version.h 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/src/version.h 2026-05-06 05:56:46.000000000 +0200 @@ -4,8 +4,8 @@ * similar. */ #define SERVER_NAME "valkey" #define SERVER_TITLE "Valkey" -#define VALKEY_VERSION "9.0.3" -#define VALKEY_VERSION_NUM 0x00090003 +#define VALKEY_VERSION "9.0.4" +#define VALKEY_VERSION_NUM 0x00090004 /* The release stage is used in order to provide release status information. * In unstable branch the status is always "dev". * During release process the status will be set to rc1,rc2...rcN. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/src/zipmap.c new/valkey-9.0.4/src/zipmap.c --- old/valkey-9.0.3/src/zipmap.c 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/src/zipmap.c 2026-05-06 05:56:46.000000000 +0200 @@ -196,6 +196,10 @@ /* read the field name length */ l = zipmapDecodeLength(p); + /* Sanity check: length < 254 must be encoded in 1 byte, not 5 bytes */ + if (l < ZIPMAP_BIGLEN && s != 1) + return 0; + p += s; /* skip the encoded field size */ p += l; /* skip the field */ @@ -209,6 +213,9 @@ /* read the value length */ l = zipmapDecodeLength(p); + /* Sanity check: length < 254 must be encoded in 1 byte, not 5 bytes */ + if (l < ZIPMAP_BIGLEN && s != 1) + return 0; p += s; /* skip the encoded value size*/ e = *p++; /* skip the encoded free space (always encoded in one byte) */ p += l + e; /* skip the value and free space */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/tests/unit/cluster/failover2.tcl new/valkey-9.0.4/tests/unit/cluster/failover2.tcl --- old/valkey-9.0.3/tests/unit/cluster/failover2.tcl 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/tests/unit/cluster/failover2.tcl 2026-05-06 05:56:46.000000000 +0200 @@ -181,17 +181,17 @@ # Make sure both the automatic and the manual failover will fail in the first time. if {$type == "automatic"} { - wait_for_log_messages -3 {"*Failover attempt expired*"} 0 1000 10 + wait_for_log_messages -3 {"*Failover attempt expired*"} 0 1200 50 } elseif {$type == "manual"} { R 3 cluster failover force - wait_for_log_messages -3 {"*Manual failover timed out*"} 0 1000 10 + wait_for_log_messages -3 {"*Manual failover timed out*"} 0 1200 50 } # Make sure the primaries prints the relevant logs. - wait_for_log_messages -1 {"*Failover auth denied to* epoch * > reqConfigEpoch*"} 0 1000 10 - wait_for_log_messages -1 {"*has old slots configuration, sending an UPDATE message about*"} 0 1000 10 - wait_for_log_messages -2 {"*Failover auth denied to* epoch * > reqConfigEpoch*"} 0 1000 10 - wait_for_log_messages -2 {"*has old slots configuration, sending an UPDATE message about*"} 0 1000 10 + wait_for_log_messages -1 {"*Failover auth denied to* epoch * > reqConfigEpoch*"} 0 1200 50 + wait_for_log_messages -1 {"*has old slots configuration, sending an UPDATE message about*"} 0 1200 50 + wait_for_log_messages -2 {"*Failover auth denied to* epoch * > reqConfigEpoch*"} 0 1200 50 + wait_for_log_messages -2 {"*has old slots configuration, sending an UPDATE message about*"} 0 1200 50 # Make sure the replica has updated the config epoch. wait_for_condition 1000 10 { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/tests/unit/cluster/replica-migration.tcl new/valkey-9.0.4/tests/unit/cluster/replica-migration.tcl --- old/valkey-9.0.3/tests/unit/cluster/replica-migration.tcl 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/tests/unit/cluster/replica-migration.tcl 2026-05-06 05:56:46.000000000 +0200 @@ -106,13 +106,15 @@ R 3 readonly R 7 readonly wait_for_condition 1000 50 { - [R 3 get key_991803] == 1024 && [R 3 get key_977613] == 10240 && - [R 4 get key_991803] == 1024 && [R 4 get key_977613] == 10240 && - [R 7 get key_991803] == 1024 && [R 7 get key_977613] == 10240 - } else { - puts "R 3: [R 3 keys *]" - puts "R 4: [R 4 keys *]" - puts "R 7: [R 7 keys *]" + [catch {expr { + [R 3 get key_991803] == 1024 && [R 3 get key_977613] == 10240 && + [R 4 get key_991803] == 1024 && [R 4 get key_977613] == 10240 && + [R 7 get key_991803] == 1024 && [R 7 get key_977613] == 10240 + }} result] == 0 && $result + } else { + catch {puts "R 3: [R 3 keys *]"} + catch {puts "R 4: [R 4 keys *]"} + catch {puts "R 7: [R 7 keys *]"} fail "Key not consistent" } @@ -201,11 +203,13 @@ # Make sure the key exists and is consistent. R 7 readonly wait_for_condition 1000 50 { - [R 4 get key_991803] == 1024 && - [R 7 get key_991803] == 1024 + [catch {expr { + [R 4 get key_991803] == 1024 && + [R 7 get key_991803] == 1024 + }} result] == 0 && $result } else { - puts "R 4: [R 4 get key_991803]" - puts "R 7: [R 7 get key_991803]" + catch {puts "R 4: [R 4 get key_991803]"} + catch {puts "R 7: [R 7 get key_991803]"} fail "Key not consistent" } @@ -325,13 +329,15 @@ R 3 readonly R 7 readonly wait_for_condition 1000 50 { - [R 3 get key_991803] == 1024 && [R 3 get key_977613] == 10240 && - [R 4 get key_991803] == 1024 && [R 4 get key_977613] == 10240 && - [R 7 get key_991803] == 1024 && [R 7 get key_977613] == 10240 - } else { - puts "R 3: [R 3 keys *]" - puts "R 4: [R 4 keys *]" - puts "R 7: [R 7 keys *]" + [catch {expr { + [R 3 get key_991803] == 1024 && [R 3 get key_977613] == 10240 && + [R 4 get key_991803] == 1024 && [R 4 get key_977613] == 10240 && + [R 7 get key_991803] == 1024 && [R 7 get key_977613] == 10240 + }} result] == 0 && $result + } else { + catch {puts "R 3: [R 3 keys *]"} + catch {puts "R 4: [R 4 keys *]"} + catch {puts "R 7: [R 7 keys *]"} fail "Key not consistent" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/tests/unit/dump.tcl new/valkey-9.0.4/tests/unit/dump.tcl --- old/valkey-9.0.3/tests/unit/dump.tcl 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/tests/unit/dump.tcl 2026-05-06 05:56:46.000000000 +0200 @@ -426,4 +426,41 @@ assert_match {*WRONGPASS*} $err } } {} {external:skip} + + test {RESTORE rejects zipmap with overlong field length encoding (CVE-2026-25243)} { + # Craft a RESTORE payload containing a hash-zipmap (RDB type 9) where + # the field-name length is encoded using the 5-byte format (0xfe prefix) + # even though the actual length (3) fits in a single byte. + # + # The bug: zipmapValidateIntegrity() walks the zipmap using the actual + # encoded size (5 bytes for 0xfe prefix), but zipmapNext() recalculates + # the encoding size via zipmapEncodeLength(NULL, len) which returns 1 + # for lengths < 254. This 4-byte mismatch causes zipmapNext() to read + # at wrong offsets during the hash conversion loop after validation, + # leading to invalid memory access (heap buffer over-read). + # + # Zipmap layout (2 entries, 24 bytes): + # 02 - zmlen (2 entries) + # fe 03000000 - field length = 3, overlong 5-byte encoding + # 616263 - "abc" + # 03 - value length = 3 + # 00 - free = 0 + # 646566 - "def" + # 03 - field length = 3 (normal, padding entry) + # 676869 - "ghi" + # 03 - value length = 3 + # 00 - free = 0 + # 6a6b6c - "jkl" + # ff - ZIPMAP_END + # + # Post-patch: zipmapValidateIntegrity() rejects (l < 254 && s != 1). + # + # RESTORE payload: <type=09><rdb-string-len=18><zipmap><rdb-ver=5000><crc=0> + + r debug set-skip-checksum-validation 1 + set payload "\x09\x18\x02\xfe\x03\x00\x00\x00\x61\x62\x63\x03\x00\x64\x65\x66\x03\x67\x68\x69\x03\x00\x6a\x6b\x6c\xff\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00" + catch {r restore zipmap_test 0 $payload} err + r debug set-skip-checksum-validation 0 + assert_match {*Bad data format*} $err + } {} {needs:debug} } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/tests/unit/maxmemory.tcl new/valkey-9.0.4/tests/unit/maxmemory.tcl --- old/valkey-9.0.3/tests/unit/maxmemory.tcl 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/tests/unit/maxmemory.tcl 2026-05-06 05:56:46.000000000 +0200 @@ -336,12 +336,15 @@ # send some 10mb worth of commands that don't increase the memory usage if {$pipeline == 1} { set rd_master [valkey_deferring_client -1] + $rd_master client reply off + $rd_master flush for {set k 0} {$k < $cmd_count} {incr k} { $rd_master setrange key:0 0 [string repeat A $payload_len] + if {$k % 10000 == 0} {$rd_master flush} } - for {set k 0} {$k < $cmd_count} {incr k} { - $rd_master read - } + $rd_master client reply on + $rd_master flush + $rd_master read ;# read the +OK from CLIENT REPLY ON } else { for {set k 0} {$k < $cmd_count} {incr k} { $master setrange key:0 0 [string repeat A $payload_len] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/valkey-9.0.3/tests/unit/memefficiency.tcl new/valkey-9.0.4/tests/unit/memefficiency.tcl --- old/valkey-9.0.3/tests/unit/memefficiency.tcl 2026-02-24 05:04:11.000000000 +0100 +++ new/valkey-9.0.4/tests/unit/memefficiency.tcl 2026-05-06 05:56:46.000000000 +0200 @@ -1,6 +1,8 @@ proc test_memory_efficiency {range} { r flushall set rd [valkey_deferring_client] + $rd client reply off + $rd flush set base_mem [s used_memory] set written 0 for {set j 0} {$j < 10000} {incr j} { @@ -11,9 +13,9 @@ incr written [string length $val] incr written 2 ;# A separator is the minimum to store key-value data. } - for {set j 0} {$j < 10000} {incr j} { - $rd read ; # Discard replies - } + $rd client reply on + $rd flush + $rd read ;# read the +OK from CLIENT REPLY ON set current_mem [s used_memory] set used [expr {$current_mem-$base_mem}]
