Hello community, here is the log from the commit of package redis for openSUSE:Factory checked in at 2016-10-24 14:44:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/redis (Old) and /work/SRC/openSUSE:Factory/.redis.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "redis" Changes: -------- --- /work/SRC/openSUSE:Factory/redis/redis.changes 2016-08-09 22:15:02.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.redis.new/redis.changes 2016-10-24 14:44:56.000000000 +0200 @@ -1,0 +2,13 @@ +Mon Oct 24 08:39:02 UTC 2016 - astie...@suse.com + +- update to redis 3.2.4, including fixes for security issues: + * CVE-2016-8339: CONFIG SET client-output-buffer-limit Code + Execution Vulnerability [boo#1002351] +- bug fixes: + * TCP binding bug fixed when only certain addresses were available + for a given port + * improved crash report + * Fix for Redis Cluster redis-trib displaying of info after + creating a new cluster. + +------------------------------------------------------------------- Old: ---- redis-3.2.3.tar.gz New: ---- redis-3.2.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ redis.spec ++++++ --- /var/tmp/diff_new_pack.7bfKoy/_old 2016-10-24 14:44:58.000000000 +0200 +++ /var/tmp/diff_new_pack.7bfKoy/_new 2016-10-24 14:44:58.000000000 +0200 @@ -25,7 +25,7 @@ %bcond_with systemd %endif Name: redis -Version: 3.2.3 +Version: 3.2.4 Release: 0 Summary: Persistent key-value database License: BSD-3-Clause @@ -45,9 +45,9 @@ BuildRequires: pkgconfig BuildRequires: procps BuildRequires: tcl -Requires(pre): shadow Requires: logrotate Requires: sudo +Requires(pre): shadow BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{with systemd} BuildRequires: pkgconfig(systemd) ++++++ redis-3.2.3.tar.gz -> redis-3.2.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/00-RELEASENOTES new/redis-3.2.4/00-RELEASENOTES --- old/redis-3.2.3/00-RELEASENOTES 2016-08-02 11:00:29.000000000 +0200 +++ new/redis-3.2.4/00-RELEASENOTES 2016-09-26 09:10:17.000000000 +0200 @@ -11,6 +11,84 @@ -------------------------------------------------------------------------------- ================================================================================ +Redis 3.2.4 Released Mon Sep 26 08:58:21 CEST 2016 +================================================================================ + +Upgrade urgency CRITICAL: Redis 3.2 and unstable contained a security + vulnerability fixed by this release. + +Hello Redis Wizards of the Memory Stores Empire, + +this is a Redis critical release in order to fix a security issue +which is documented clearly here: + + https://github.com/antirez/redis/commit/6d9f8e2462fc2c426d48c941edeb78e5df7d2977 + +Thanks to Cory Duplantis of Cisco Talos for reporting the issue. + +The gist is that using CONFIG SET calls (or by manipulating redis.conf) +an attacker is able to compromise certain fields of the "server" global +structure, including the aof filename pointer, that could be made pointing +to something else. In turn the AOF name is used in different contexts such +as logging, rename(2) and open(2) syscalls, leading to potential problems. + +All Redis 3.2.x versions are affected. + +This release also includes other things: + +* TCP binding bug fixed when only certain addresses were available for +a given port. + +* A much better crash report that includes part of the Redis binary: +this will allow to fix bugs even when we just have a crash log and +no other help from the original poster oft the issue. + +* A fix for Redis Cluster redis-trib displaying of info after creating +a new cluster. + +Please check the following list of commits for credits about who did what. +Thanks to all the contributors and a special thank to Oran Agra for the +help in this release. + +List of commits: + +antirez in commit 0539634: + Security: CONFIG SET client-output-buffer-limit overflow fixed. + 1 file changed, 5 insertions(+), 3 deletions(-) + +antirez in commit c01abcd: + fix the fix for the TCP binding. + 1 file changed, 15 insertions(+), 10 deletions(-) + +oranagra in commit a6d0698: + fix tcp binding when IPv6 is unsupported + 2 files changed, 14 insertions(+), 10 deletions(-) + +antirez in commit 22b6c28: + debug.c: no need to define _GNU_SOURCE, is defined in fmacros.h. + 1 file changed, 1 deletion(-) + +antirez in commit 9e9d398: + crash log - improve code dump with more info and called symbols. + 1 file changed, 59 insertions(+), 20 deletions(-) + +oranagra in commit 3745c5d: + crash log - add hex dump of function code + 1 file changed, 22 insertions(+) + +antirez in commit c1cc07b: + Sentinel example config: warn about protected mode. + 1 file changed, 16 insertions(+), 1 deletion(-) + +rojingeorge in commit 011dc9f: + Display the nodes summary once the cluster is established using redis-trib.rb + 1 file changed, 5 insertions(+) + +Guo Xiao in commit f4e3a94: + Use the standard predefined identifier __func__ (since C99) + 1 file changed, 1 insertion(+), 1 deletion(-) + +================================================================================ Redis 3.2.3 Released Tue Aug 02 10:55:24 CEST 2016 ================================================================================ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/sentinel.conf new/redis-3.2.4/sentinel.conf --- old/redis-3.2.3/sentinel.conf 2016-08-02 11:00:29.000000000 +0200 +++ new/redis-3.2.4/sentinel.conf 2016-09-26 09:10:17.000000000 +0200 @@ -1,5 +1,21 @@ # Example sentinel.conf +# *** IMPORTANT *** +# +# By default Sentinel will not be reachable from interfaces different than +# localhost, either use the 'bind' directive to bind to a list of network +# interfaces, or disable protected mode with "protected-mode no" by +# adding it to this configuration file. +# +# Before doing that MAKE SURE the instance is protected from the outside +# world via firewalling or other means. +# +# For example you may use one of the following: +# +# bind 127.0.0.1 192.168.1.1 +# +# protected-mode no + # port <sentinel-port> # The port that this sentinel instance will run on port 26379 @@ -178,4 +194,3 @@ # # sentinel client-reconfig-script mymaster /var/redis/reconfig.sh - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/anet.c new/redis-3.2.4/src/anet.c --- old/redis-3.2.3/src/anet.c 2016-08-02 11:00:29.000000000 +0200 +++ new/redis-3.2.4/src/anet.c 2016-09-26 09:10:17.000000000 +0200 @@ -486,7 +486,7 @@ goto end; } if (p == NULL) { - anetSetError(err, "unable to bind socket"); + anetSetError(err, "unable to bind socket, errno: %d", errno); goto error; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/config.c new/redis-3.2.4/src/config.c --- old/redis-3.2.3/src/config.c 2016-08-02 11:00:29.000000000 +0200 +++ new/redis-3.2.4/src/config.c 2016-09-26 09:10:17.000000000 +0200 @@ -549,8 +549,9 @@ unsigned long long hard, soft; int soft_seconds; - if (class == -1) { - err = "Unrecognized client limit class"; + if (class == -1 || class == CLIENT_TYPE_MASTER) { + err = "Unrecognized client limit class: the user specified " + "an invalid one, or 'master' which has no buffer limits."; goto loaderr; } hard = memtoll(argv[2],NULL); @@ -834,7 +835,8 @@ long val; if ((j % 4) == 0) { - if (getClientTypeByName(v[j]) == -1) { + int class = getClientTypeByName(v[j]); + if (class == -1 || class == CLIENT_TYPE_MASTER) { sdsfreesplitres(v,vlen); goto badfmt; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/debug.c new/redis-3.2.4/src/debug.c --- old/redis-3.2.3/src/debug.c 2016-08-02 11:00:29.000000000 +0200 +++ new/redis-3.2.4/src/debug.c 2016-09-26 09:10:17.000000000 +0200 @@ -39,6 +39,8 @@ #include <ucontext.h> #include <fcntl.h> #include "bio.h" +#include <unistd.h> +#include <dlfcn.h> #endif /* HAVE_BACKTRACE */ #ifdef __CYGWIN__ @@ -671,6 +673,8 @@ return (void*) uc->uc_mcontext.gregs[16]; /* Linux 64 */ #elif defined(__ia64__) /* Linux IA64 */ return (void*) uc->uc_mcontext.sc_ip; + #elif defined(__arm__) /* Linux ARM */ + return (void*) uc->uc_mcontext.arm_pc; #endif #else return NULL; @@ -972,6 +976,32 @@ } #endif +/* Scans the (assumed) x86 code starting at addr, for a max of `len` + * bytes, searching for E8 (callq) opcodes, and dumping the symbols + * and the call offset if they appear to be valid. */ +void dumpX86Calls(void *addr, size_t len) { + size_t j; + unsigned char *p = addr; + Dl_info info; + /* Hash table to best-effort avoid printing the same symbol + * multiple times. */ + unsigned long ht[256] = {0}; + + if (len < 5) return; + for (j = 0; j < len-4; j++) { + if (p[j] != 0xE8) continue; /* Not an E8 CALL opcode. */ + unsigned long target = (unsigned long)addr+j+5; + target += *((int32_t*)(p+j+1)); + if (dladdr((void*)target, &info) != 0 && info.dli_sname != NULL) { + if (ht[target&0xff] != target) { + printf("Function at 0x%lx is %s\n",target,info.dli_sname); + ht[target&0xff] = target; + } + j += 4; /* Skip the 32 bit immediate. */ + } + } +} + void sigsegvHandler(int sig, siginfo_t *info, void *secret) { ucontext_t *uc = (ucontext_t*) secret; void *eip = getMcontextEip(uc); @@ -1022,19 +1052,49 @@ bioKillThreads(); if (memtest_test_linux_anonymous_maps()) { serverLogRaw(LL_WARNING|LL_RAW, - "!!! MEMORY ERROR DETECTED! Check your memory ASAP !!!"); + "!!! MEMORY ERROR DETECTED! Check your memory ASAP !!!\n"); } else { serverLogRaw(LL_WARNING|LL_RAW, - "Fast memory test PASSED, however your memory can still be broken. Please run a memory test for several hours if possible."); + "Fast memory test PASSED, however your memory can still be broken. Please run a memory test for several hours if possible.\n"); } #endif + if (eip != NULL) { + Dl_info info; + if (dladdr(eip, &info) != 0) { + serverLog(LL_WARNING|LL_RAW, + "\n------ DUMPING CODE AROUND EIP ------\n" + "Symbol: %s (base: %p)\n" + "Module: %s (base %p)\n" + "$ xxd -r -p /tmp/dump.hex /tmp/dump.bin\n" + "$ objdump --adjust-vma=%p -D -b binary -m i386:x86-64 /tmp/dump.bin\n" + "------\n", + info.dli_sname, info.dli_saddr, info.dli_fname, info.dli_fbase, + info.dli_saddr); + size_t len = (long)eip - (long)info.dli_saddr; + unsigned long sz = sysconf(_SC_PAGESIZE); + if (len < 1<<13) { /* we don't have functions over 8k (verified) */ + /* Find the address of the next page, which is our "safety" + * limit when dumping. Then try to dump just 128 bytes more + * than EIP if there is room, or stop sooner. */ + unsigned long next = ((unsigned long)eip + sz) & ~(sz-1); + unsigned long end = (unsigned long)eip + 128; + if (end > next) end = next; + len = end - (unsigned long)info.dli_saddr; + serverLogHexDump(LL_WARNING, "dump of function", + info.dli_saddr ,len); + dumpX86Calls(info.dli_saddr,len); + } + } + } + serverLogRaw(LL_WARNING|LL_RAW, "\n=== REDIS BUG REPORT END. Make sure to include from START to END. ===\n\n" " Please report the crash by opening an issue on github:\n\n" " http://github.com/antirez/redis/issues\n\n" " Suspect RAM error? Use redis-server --test-memory to verify it.\n\n" ); + /* free(messages); Don't call free() with possibly corrupted memory. */ if (server.daemonize && server.supervised == 0) unlink(server.pidfile); @@ -1055,7 +1115,7 @@ unsigned char *v = value; char charset[] = "0123456789abcdef"; - serverLog(level,"%s (hexdump):", descr); + serverLog(level,"%s (hexdump of %zu bytes):", descr, len); b = buf; while(len) { b[0] = charset[(*v)>>4]; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/debugmacro.h new/redis-3.2.4/src/debugmacro.h --- old/redis-3.2.3/src/debugmacro.h 2016-08-02 11:00:29.000000000 +0200 +++ new/redis-3.2.4/src/debugmacro.h 2016-09-26 09:10:17.000000000 +0200 @@ -34,7 +34,7 @@ #define D(...) \ do { \ FILE *fp = fopen("/tmp/log.txt","a"); \ - fprintf(fp,"%s:%s:%d:\t", __FILE__, __FUNCTION__, __LINE__); \ + fprintf(fp,"%s:%s:%d:\t", __FILE__, __func__, __LINE__); \ fprintf(fp,__VA_ARGS__); \ fprintf(fp,"\n"); \ fclose(fp); \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/redis-trib.rb new/redis-3.2.4/src/redis-trib.rb --- old/redis-3.2.3/src/redis-trib.rb 2016-08-02 11:00:29.000000000 +0200 +++ new/redis-3.2.4/src/redis-trib.rb 2016-09-26 09:10:17.000000000 +0200 @@ -1305,6 +1305,11 @@ sleep 1 wait_cluster_join flush_nodes_config # Useful for the replicas + # Reset the node information, so that when the + # final summary is listed in check_cluster about the newly created cluster + # all the nodes would get properly listed as slaves or masters + reset_nodes + load_cluster_info_from_node(argv[0]) check_cluster end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/server.c new/redis-3.2.4/src/server.c --- old/redis-3.2.3/src/server.c 2016-08-02 11:00:29.000000000 +0200 +++ new/redis-3.2.4/src/server.c 2016-09-26 09:10:17.000000000 +0200 @@ -1776,6 +1776,7 @@ if (server.bindaddr_count == 0) server.bindaddr[0] = NULL; for (j = 0; j < server.bindaddr_count || j == 0; j++) { if (server.bindaddr[j] == NULL) { + int unsupported = 0; /* Bind * for both IPv6 and IPv4, we enter here only if * server.bindaddr_count == 0. */ fds[*count] = anetTcp6Server(server.neterr,port,NULL, @@ -1783,19 +1784,27 @@ if (fds[*count] != ANET_ERR) { anetNonBlock(NULL,fds[*count]); (*count)++; + } else if (errno == EAFNOSUPPORT) { + unsupported++; + serverLog(LL_WARNING,"Not listening to IPv6: unsupproted"); + } + if (*count == 1 || unsupported) { /* Bind the IPv4 address as well. */ fds[*count] = anetTcpServer(server.neterr,port,NULL, server.tcp_backlog); if (fds[*count] != ANET_ERR) { anetNonBlock(NULL,fds[*count]); (*count)++; + } else if (errno == EAFNOSUPPORT) { + unsupported++; + serverLog(LL_WARNING,"Not listening to IPv4: unsupproted"); } } /* Exit the loop if we were able to bind * on IPv4 and IPv6, * otherwise fds[*count] will be ANET_ERR and we'll print an * error and return to the caller with an error. */ - if (*count == 2) break; + if (*count + unsupported == 2) break; } else if (strchr(server.bindaddr[j],':')) { /* Bind IPv6 address. */ fds[*count] = anetTcp6Server(server.neterr,port,server.bindaddr[j], diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-3.2.3/src/version.h new/redis-3.2.4/src/version.h --- old/redis-3.2.3/src/version.h 2016-08-02 11:00:29.000000000 +0200 +++ new/redis-3.2.4/src/version.h 2016-09-26 09:10:17.000000000 +0200 @@ -1 +1 @@ -#define REDIS_VERSION "3.2.3" +#define REDIS_VERSION "3.2.4"