commit: 355ad01f1b82d113b950ea3e483a7c2bc54bed6d Author: Petr Vaněk <arkamar <AT> atlas <DOT> cz> AuthorDate: Sat Oct 22 09:43:38 2022 +0000 Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org> CommitDate: Fri Nov 11 15:10:06 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=355ad01f
dev-db/redis: apply recommended patch for CVE-2022-3647 to 7.0.5 The patch is taken from upstream as is. Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3 Bug: https://bugs.gentoo.org/877863 Signed-off-by: Petr Vaněk <arkamar <AT> atlas.cz> Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org> dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch | 173 +++++++++++++++++++ dev-db/redis/redis-7.0.5-r1.ebuild | 191 +++++++++++++++++++++ 2 files changed, 364 insertions(+) diff --git a/dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch b/dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch new file mode 100644 index 000000000000..8f5eaff13fed --- /dev/null +++ b/dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch @@ -0,0 +1,173 @@ +This is the patch recommended to apply in order to fix CVE-2022-3647. + +Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3 +Bug: https://bugs.gentoo.org/877863 + +diff --git a/src/debug.c b/src/debug.c +index 8cc811be4..b15ac8780 100644 +--- a/src/debug.c ++++ b/src/debug.c +@@ -1123,73 +1123,88 @@ void bugReportStart(void) { + } + + #ifdef HAVE_BACKTRACE +-static void *getMcontextEip(ucontext_t *uc) { ++ ++/* Returns the current eip and set it to the given new value (if its not NULL) */ ++static void* getAndSetMcontextEip(ucontext_t *uc, void *eip) { + #define NOT_SUPPORTED() do {\ + UNUSED(uc);\ ++ UNUSED(eip);\ + return NULL;\ + } while(0) ++#define GET_SET_RETURN(target_var, new_val) do {\ ++ void *old_val = (void*)target_var; \ ++ if (new_val) { \ ++ void **temp = (void**)&target_var; \ ++ *temp = new_val; \ ++ } \ ++ return old_val; \ ++} while(0) + #if defined(__APPLE__) && !defined(MAC_OS_X_VERSION_10_6) + /* OSX < 10.6 */ + #if defined(__x86_64__) +- return (void*) uc->uc_mcontext->__ss.__rip; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip); + #elif defined(__i386__) +- return (void*) uc->uc_mcontext->__ss.__eip; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip); + #else +- return (void*) uc->uc_mcontext->__ss.__srr0; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__srr0, eip); + #endif + #elif defined(__APPLE__) && defined(MAC_OS_X_VERSION_10_6) + /* OSX >= 10.6 */ + #if defined(_STRUCT_X86_THREAD_STATE64) && !defined(__i386__) +- return (void*) uc->uc_mcontext->__ss.__rip; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip); + #elif defined(__i386__) +- return (void*) uc->uc_mcontext->__ss.__eip; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip); + #else + /* OSX ARM64 */ +- return (void*) arm_thread_state64_get_pc(uc->uc_mcontext->__ss); ++ void *old_val = (void*)arm_thread_state64_get_pc(uc->uc_mcontext->__ss); ++ if (eip) { ++ arm_thread_state64_set_pc_fptr(uc->uc_mcontext->__ss, eip); ++ } ++ return old_val; + #endif + #elif defined(__linux__) + /* Linux */ + #if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) +- return (void*) uc->uc_mcontext.gregs[14]; /* Linux 32 */ ++ GET_SET_RETURN(uc->uc_mcontext.gregs[14], eip); + #elif defined(__X86_64__) || defined(__x86_64__) +- return (void*) uc->uc_mcontext.gregs[16]; /* Linux 64 */ ++ GET_SET_RETURN(uc->uc_mcontext.gregs[16], eip); + #elif defined(__ia64__) /* Linux IA64 */ +- return (void*) uc->uc_mcontext.sc_ip; ++ GET_SET_RETURN(uc->uc_mcontext.sc_ip, eip); + #elif defined(__arm__) /* Linux ARM */ +- return (void*) uc->uc_mcontext.arm_pc; ++ GET_SET_RETURN(uc->uc_mcontext.arm_pc, eip); + #elif defined(__aarch64__) /* Linux AArch64 */ +- return (void*) uc->uc_mcontext.pc; ++ GET_SET_RETURN(uc->uc_mcontext.pc, eip); + #else + NOT_SUPPORTED(); + #endif + #elif defined(__FreeBSD__) + /* FreeBSD */ + #if defined(__i386__) +- return (void*) uc->uc_mcontext.mc_eip; ++ GET_SET_RETURN(uc->uc_mcontext.mc_eip, eip); + #elif defined(__x86_64__) +- return (void*) uc->uc_mcontext.mc_rip; ++ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip); + #else + NOT_SUPPORTED(); + #endif + #elif defined(__OpenBSD__) + /* OpenBSD */ + #if defined(__i386__) +- return (void*) uc->sc_eip; ++ GET_SET_RETURN(uc->sc_eip, eip); + #elif defined(__x86_64__) +- return (void*) uc->sc_rip; ++ GET_SET_RETURN(uc->sc_rip, eip); + #else + NOT_SUPPORTED(); + #endif + #elif defined(__NetBSD__) + #if defined(__i386__) +- return (void*) uc->uc_mcontext.__gregs[_REG_EIP]; ++ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_EIP], eip); + #elif defined(__x86_64__) +- return (void*) uc->uc_mcontext.__gregs[_REG_RIP]; ++ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_RIP], eip); + #else + NOT_SUPPORTED(); + #endif + #elif defined(__DragonFly__) +- return (void*) uc->uc_mcontext.mc_rip; ++ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip); + #else + NOT_SUPPORTED(); + #endif +@@ -1951,6 +1966,10 @@ void dumpCodeAroundEIP(void *eip) { + } + } + ++void invalidFunctionWasCalled() {} ++ ++typedef void (*invalidFunctionWasCalledType)(); ++ + void sigsegvHandler(int sig, siginfo_t *info, void *secret) { + UNUSED(secret); + UNUSED(info); +@@ -1968,13 +1987,30 @@ void sigsegvHandler(int sig, siginfo_t *info, void *secret) { + + #ifdef HAVE_BACKTRACE + ucontext_t *uc = (ucontext_t*) secret; +- void *eip = getMcontextEip(uc); ++ void *eip = getAndSetMcontextEip(uc, NULL); + if (eip != NULL) { + serverLog(LL_WARNING, + "Crashed running the instruction at: %p", eip); + } + +- logStackTrace(getMcontextEip(uc), 1); ++ if (eip == info->si_addr) { ++ /* When eip matches the bad address, it's an indication that we crashed when calling a non-mapped ++ * function pointer. In that case the call to backtrace will crash trying to access that address and we ++ * won't get a crash report logged. Set it to a valid point to avoid that crash. */ ++ ++ /* This trick allow to avoid compiler warning */ ++ void *ptr; ++ invalidFunctionWasCalledType *ptr_ptr = (invalidFunctionWasCalledType*)&ptr; ++ *ptr_ptr = invalidFunctionWasCalled; ++ getAndSetMcontextEip(uc, ptr); ++ } ++ ++ logStackTrace(eip, 1); ++ ++ if (eip == info->si_addr) { ++ /* Restore old eip */ ++ getAndSetMcontextEip(uc, eip); ++ } + + logRegisters(uc); + #endif +@@ -2079,7 +2115,7 @@ void watchdogSignalHandler(int sig, siginfo_t *info, void *secret) { + + serverLogFromHandler(LL_WARNING,"\n--- WATCHDOG TIMER EXPIRED ---"); + #ifdef HAVE_BACKTRACE +- logStackTrace(getMcontextEip(uc), 1); ++ logStackTrace(getAndSetMcontextEip(uc, NULL), 1); + #else + serverLogFromHandler(LL_WARNING,"Sorry: no support for backtrace()."); + #endif +-- +2.37.4 + diff --git a/dev-db/redis/redis-7.0.5-r1.ebuild b/dev-db/redis/redis-7.0.5-r1.ebuild new file mode 100644 index 000000000000..83d9c9646600 --- /dev/null +++ b/dev-db/redis/redis-7.0.5-r1.ebuild @@ -0,0 +1,191 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# N.B.: It is no clue in porting to Lua eclasses, as upstream have deviated +# too far from vanilla Lua, adding their own APIs like lua_enablereadonlytable + +inherit autotools edo flag-o-matic multiprocessing systemd tmpfiles toolchain-funcs + +DESCRIPTION="A persistent caching system, key-value, and data structures database" +HOMEPAGE="https://redis.io"; +SRC_URI="https://download.redis.io/releases/${P}.tar.gz"; + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-solaris" +IUSE="+jemalloc selinux ssl systemd tcmalloc test" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + jemalloc? ( >=dev-libs/jemalloc-5.1:= ) + ssl? ( dev-libs/openssl:0= ) + systemd? ( sys-apps/systemd:= ) + tcmalloc? ( dev-util/google-perftools ) +" + +RDEPEND=" + ${COMMON_DEPEND} + acct-group/redis + acct-user/redis + selinux? ( sec-policy/selinux-redis ) +" + +BDEPEND=" + ${COMMON_DEPEND} + virtual/pkgconfig +" + +# Tcl is only needed in the CHOST test env +DEPEND=" + ${COMMON_DEPEND} + test? ( + dev-lang/tcl:0= + ssl? ( dev-tcltk/tls ) + )" + +REQUIRED_USE="?? ( jemalloc tcmalloc )" + +PATCHES=( + "${FILESDIR}"/${PN}-6.2.1-config.patch + "${FILESDIR}"/${PN}-5.0-shared.patch + "${FILESDIR}"/${PN}-6.2.3-ppc-atomic.patch + "${FILESDIR}"/${PN}-sentinel-5.0-config.patch + "${FILESDIR}"/${PN}-7.0.4-no-which.patch + "${FILESDIR}"/${PN}-7.0.4-replica-tests-fix.patch + + # see bug 877863 + "${FILESDIR}/${PN}-7.0.5-cve-2022-3647.patch" +) + +src_prepare() { + default + + # Append cflag for lua_cjson + # https://github.com/antirez/redis/commit/4fdcd213#diff-3ba529ae517f6b57803af0502f52a40bL61 + append-cflags "-DENABLE_CJSON_GLOBAL" + + # now we will rewrite present Makefiles + local makefiles="" MKF + for MKF in $(find -name 'Makefile' | cut -b 3-); do + mv "${MKF}" "${MKF}.in" + sed -i -e 's:$(CC):@CC@:g' \ + -e 's:$(CFLAGS):@AM_CFLAGS@:g' \ + -e 's: $(DEBUG)::g' \ + -e 's:$(OBJARCH)::g' \ + -e 's:ARCH:TARCH:g' \ + -e '/^CCOPT=/s:$: $(LDFLAGS):g' \ + "${MKF}.in" \ + || die "Sed failed for ${MKF}" + makefiles+=" ${MKF}" + done + # autodetection of compiler and settings; generates the modified Makefiles + cp "${FILESDIR}"/configure.ac-7.0 configure.ac || die + + sed -i \ + -e "/^AC_INIT/s|, __PV__, |, $PV, |" \ + -e "s:AC_CONFIG_FILES(\[Makefile\]):AC_CONFIG_FILES([${makefiles}]):g" \ + configure.ac || die "Sed failed for configure.ac" + eautoreconf +} + +src_configure() { + econf + + # Linenoise can't be built with -std=c99, see https://bugs.gentoo.org/451164 + # also, don't define ANSI/c99 for lua twice + sed -i -e "s:-std=c99::g" deps/linenoise/Makefile deps/Makefile || die +} + +src_compile() { + local myconf="" + + if use jemalloc; then + myconf+="MALLOC=jemalloc" + elif use tcmalloc; then + myconf+="MALLOC=tcmalloc" + else + myconf+="MALLOC=libc" + fi + + if use ssl; then + myconf+=" BUILD_TLS=yes" + fi + + export USE_SYSTEMD=$(usex systemd) + + tc-export AR CC RANLIB + emake V=1 ${myconf} AR="${AR}" CC="${CC}" RANLIB="${RANLIB}" +} + +src_test() { + local runtestargs=( + --clients "$(makeopts_jobs)" # see bug #649868 + + --skiptest "Active defrag eval scripts" # see bug #851654 + ) + + if has usersandbox ${FEATURES} || ! has userpriv ${FEATURES}; then + ewarn "oom-score-adj related tests will be skipped." \ + "They are known to fail with FEATURES usersandbox or -userpriv. See bug #756382." + + runtestargs+=( + # unit/oom-score-adj was introduced in version 6.2.0 + --skipunit unit/oom-score-adj # see bug #756382 + + # Following test was added in version 7.0.0 to unit/introspection. + # It also tries to adjust OOM score. + --skiptest "CONFIG SET rollback on apply error" + ) + fi + + if use ssl; then + edo ./utils/gen-test-certs.sh + runtestargs+=( --tls ) + fi + + edo ./runtest "${runtestargs[@]}" +} + +src_install() { + insinto /etc/redis + doins redis.conf sentinel.conf + use prefix || fowners -R redis:redis /etc/redis /etc/redis/{redis,sentinel}.conf + fperms 0750 /etc/redis + fperms 0644 /etc/redis/{redis,sentinel}.conf + + newconfd "${FILESDIR}/redis.confd-r2" redis + newinitd "${FILESDIR}/redis.initd-6" redis + + systemd_newunit "${FILESDIR}/redis.service-4" redis.service + newtmpfiles "${FILESDIR}/redis.tmpfiles-2" redis.conf + + newconfd "${FILESDIR}/redis-sentinel.confd-r1" redis-sentinel + newinitd "${FILESDIR}/redis-sentinel.initd-r1" redis-sentinel + + insinto /etc/logrotate.d/ + newins "${FILESDIR}/${PN}.logrotate" ${PN} + + dodoc 00-RELEASENOTES BUGS CONTRIBUTING.md MANIFESTO README.md + + dobin src/redis-cli + dosbin src/redis-benchmark src/redis-server src/redis-check-aof src/redis-check-rdb + fperms 0750 /usr/sbin/redis-benchmark + dosym redis-server /usr/sbin/redis-sentinel + + if use prefix; then + diropts -m0750 + else + diropts -m0750 -o redis -g redis + fi + keepdir /var/{log,lib}/redis +} + +pkg_postinst() { + tmpfiles_process redis.conf + + ewarn "The default redis configuration file location changed to:" + ewarn " /etc/redis/{redis,sentinel}.conf" + ewarn "Please apply your changes to the new configuration files." +}
