Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Chris Lamb <la...@debian.org>
* CVE-2025-21605: Limit output buffer for unauthenticated clients
(Closes: #1104010)
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
diffstat for redis-7.0.15 redis-7.0.15
changelog | 8
+
patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch | 60
++++++++++
patches/series | 1
3 files changed, 69 insertions(+)
diff -Nru redis-7.0.15/debian/changelog redis-7.0.15/debian/changelog
--- redis-7.0.15/debian/changelog 2025-01-19 12:41:08.000000000 +0200
+++ redis-7.0.15/debian/changelog 2025-05-09 19:15:20.000000000 +0300
@@ -1,3 +1,11 @@
+redis (5:7.0.15-1~deb12u4) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-21605: Limit output buffer for unauthenticated clients
+ (Closes: #1104010)
+
+ -- Adrian Bunk <b...@debian.org> Fri, 09 May 2025 19:15:20 +0300
+
redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium
* Non-maintainer upload.
diff -Nru
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
---
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
1970-01-01 02:00:00.000000000 +0200
+++
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
2025-05-09 19:14:31.000000000 +0300
@@ -0,0 +1,60 @@
+From 81f549f61799175bca3b126f749a8891832dd187 Mon Sep 17 00:00:00 2001
+From: YaacovHazan <yaacov.ha...@redis.com>
+Date: Wed, 23 Apr 2025 08:09:40 +0000
+Subject: Limiting output buffer for unauthenticated client (CVE-2025-21605)
+
+For unauthenticated clients the output buffer is limited to prevent
+them from abusing it by not reading the replies
+---
+ src/networking.c | 5 +++++
+ tests/unit/auth.tcl | 18 ++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/src/networking.c b/src/networking.c
+index 90cc64d70..386773eee 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -3757,6 +3757,11 @@ int checkClientOutputBufferLimits(client *c) {
+ int soft = 0, hard = 0, class;
+ unsigned long used_mem = getClientOutputBufferMemoryUsage(c);
+
++ /* For unauthenticated clients the output buffer is limited to prevent
++ * them from abusing it by not reading the replies */
++ if (used_mem > 1024 && authRequired(c))
++ return 1;
++
+ class = getClientType(c);
+ /* For the purpose of output buffer limiting, masters are handled
+ * like normal clients. */
+diff --git a/tests/unit/auth.tcl b/tests/unit/auth.tcl
+index 26d125579..24b386228 100644
+--- a/tests/unit/auth.tcl
++++ b/tests/unit/auth.tcl
+@@ -45,6 +45,24 @@ start_server {tags {"auth external:skip"} overrides
{requirepass foobar}} {
+ assert_match {*unauthenticated bulk length*} $e
+ $rr close
+ }
++
++ test {For unauthenticated clients output buffer is limited} {
++ set rr [redis [srv "host"] [srv "port"] 1 $::tls]
++ $rr SET x 5
++ catch {[$rr read]} e
++ assert_match {*NOAUTH Authentication required*} $e
++
++ # Fill the output buffer in a loop without reading it and make
++ # sure the client disconnected.
++ # Considering the socket eat some of the replies, we are testing
++ # that such client can't consume more than few MB's.
++ catch {
++ for {set j 0} {$j < 1000000} {incr j} {
++ $rr SET x 5
++ }
++ } e
++ assert_match {I/O error reading reply} $e
++ }
+ }
+
+ start_server {tags {"auth_binary_password external:skip"}} {
+--
+2.30.2
+
diff -Nru redis-7.0.15/debian/patches/series redis-7.0.15/debian/patches/series
--- redis-7.0.15/debian/patches/series 2025-01-19 00:28:16.000000000 +0200
+++ redis-7.0.15/debian/patches/series 2025-05-09 19:15:07.000000000 +0300
@@ -6,3 +6,4 @@
0001-Apply-security-fixes-for-CVEs-1113.patch
0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch
0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch
+0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
