Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], Chris Lamb
* CVE-2025-21605: Limit output buffer for unauthenticated clients
(Closes: #1104010)
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
diffstat for redis-7.0.15 redis-7.0.15
changelog |8
+
patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch | 60
++
patches/series |1
3 files changed, 69 insertions(+)
diff -Nru redis-7.0.15/debian/changelog redis-7.0.15/debian/changelog
--- redis-7.0.15/debian/changelog 2025-01-19 12:41:08.0 +0200
+++ redis-7.0.15/debian/changelog 2025-05-09 19:15:20.0 +0300
@@ -1,3 +1,11 @@
+redis (5:7.0.15-1~deb12u4) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-21605: Limit output buffer for unauthenticated clients
+(Closes: #1104010)
+
+ -- Adrian Bunk Fri, 09 May 2025 19:15:20 +0300
+
redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium
* Non-maintainer upload.
diff -Nru
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
---
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
1970-01-01 02:00:00.0 +0200
+++
redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
2025-05-09 19:14:31.0 +0300
@@ -0,0 +1,60 @@
+From 81f549f61799175bca3b126f749a8891832dd187 Mon Sep 17 00:00:00 2001
+From: YaacovHazan
+Date: Wed, 23 Apr 2025 08:09:40 +
+Subject: Limiting output buffer for unauthenticated client (CVE-2025-21605)
+
+For unauthenticated clients the output buffer is limited to prevent
+them from abusing it by not reading the replies
+---
+ src/networking.c| 5 +
+ tests/unit/auth.tcl | 18 ++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/src/networking.c b/src/networking.c
+index 90cc64d70..386773eee 100644
+--- a/src/networking.c
b/src/networking.c
+@@ -3757,6 +3757,11 @@ int checkClientOutputBufferLimits(client *c) {
+ int soft = 0, hard = 0, class;
+ unsigned long used_mem = getClientOutputBufferMemoryUsage(c);
+
++/* For unauthenticated clients the output buffer is limited to prevent
++ * them from abusing it by not reading the replies */
++if (used_mem > 1024 && authRequired(c))
++return 1;
++
+ class = getClientType(c);
+ /* For the purpose of output buffer limiting, masters are handled
+ * like normal clients. */
+diff --git a/tests/unit/auth.tcl b/tests/unit/auth.tcl
+index 26d125579..24b386228 100644
+--- a/tests/unit/auth.tcl
b/tests/unit/auth.tcl
+@@ -45,6 +45,24 @@ start_server {tags {"auth external:skip"} overrides
{requirepass foobar}} {
+ assert_match {*unauthenticated bulk length*} $e
+ $rr close
+ }
++
++test {For unauthenticated clients output buffer is limited} {
++set rr [redis [srv "host"] [srv "port"] 1 $::tls]
++$rr SET x 5
++catch {[$rr read]} e
++assert_match {*NOAUTH Authentication required*} $e
++
++# Fill the output buffer in a loop without reading it and make
++# sure the client disconnected.
++# Considering the socket eat some of the replies, we are testing
++# that such client can't consume more than few MB's.
++catch {
++for {set j 0} {$j < 100} {incr j} {
++$rr SET x 5
++}
++} e
++assert_match {I/O error reading reply} $e
++}
+ }
+
+ start_server {tags {"auth_binary_password external:skip"}} {
+--
+2.30.2
+
diff -Nru redis-7.0.15/debian/patches/series redis-7.0.15/debian/patches/series
--- redis-7.0.15/debian/patches/series 2025-01-19 00:28:16.0 +0200
+++ redis-7.0.15/debian/patches/series 2025-05-09 19:15:07.0 +0300
@@ -6,3 +6,4 @@
0001-Apply-security-fixes-for-CVEs-1113.patch
0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch
0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch
+0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch
