Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to patch Redis 4 for CVE-2021-32626? #9650

Closed
markuszoeller opened this issue Oct 19, 2021 · 1 comment
Closed

How to patch Redis 4 for CVE-2021-32626? #9650

markuszoeller opened this issue Oct 19, 2021 · 1 comment

Comments

@markuszoeller
Copy link

CVE-2021-32626 is patched for Redis 5 and 6 and in unstable:

$ git log --all --oneline --grep="CVE-2021-32626" | cat
0f8b634cd Fix invalid memory write on lua stack overflow (CVE-2021-32626) (#9591)
8f241ab3b Fix invalid memory write on lua stack overflow {CVE-2021-32626}
666ed7fac Fix invalid memory write on lua stack overflow {CVE-2021-32626}
a4b813d8b Fix invalid memory write on lua stack overflow {CVE-2021-32626}

If I want to patch Redis 4 for myself, what do I need to take care of? I see that lua_checkstack is used, but I can't determine what value should be used for the second argument and how the body of the conditional should look like. Do you have any guidance on how to fix the CVE in Redis 4?
@oranagra
Copy link
Member

just cherry pick the commit (a4b813d) from the 4.0 branch, i've just tested and it works nicely (clean cherry pick with no conflicts).
unlike redis 6.0 (due to RESP3), not much changed in that area between redis 5.0 and 4.0.

@itamarhaber itamarhaber mentioned this issue Oct 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oranagra @markuszoeller