commit redis for openSUSE:Factory - openSUSE Commits

31 Jul 2022

Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package redis for openSUSE:Factory checked in at 2022-07-31 23:00:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/redis (Old)
 and      /work/SRC/openSUSE:Factory/.redis.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "redis"
Sun Jul 31 23:00:33 2022 rev:81 rq:990008 version:7.0.4
Changes:
--------

--- /work/SRC/openSUSE:Factory/redis/redis.changes	2022-07-13 13:44:50.925985887 +0200
+++ /work/SRC/openSUSE:Factory/.redis.new.1533/redis.changes	2022-07-31 23:00:45.687659926 +0200
@@ -1,0 +2,8 @@
+Mon Jul 18 14:36:34 UTC 2022 - Michael Str��der michael@stroeder.com
+
+- Security update to version 7.0.4
+  (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream
+  key in a specific state may result with heap overflow, and potentially
+  remote code execution. The problem affects Redis versions 7.0.0 or newer.
+
+-------------------------------------------------------------------
Old:
----
  redis-7.0.3.tar.gz
New:
----
  redis-7.0.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ redis.spec ++++++
--- /var/tmp/diff_new_pack.mHAvCF/_old	2022-07-31 23:00:46.243661542 +0200
+++ /var/tmp/diff_new_pack.mHAvCF/_new	2022-07-31 23:00:46.247661553 +0200
@@ -20,7 +20,7 @@
 %define _log_dir        %{_localstatedir}/log/%{name}
 %define _conf_dir       %{_sysconfdir}/%{name}
 Name:           redis
-Version:        7.0.3
+Version:        7.0.4
 Release:        0
 Summary:        Persistent key-value database
 License:        BSD-3-Clause
++++++ redis-7.0.3.tar.gz -> redis-7.0.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/00-RELEASENOTES new/redis-7.0.4/00-RELEASENOTES
--- old/redis-7.0.3/00-RELEASENOTES	2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/00-RELEASENOTES	2022-07-18 15:04:07.000000000 +0200
@@ -13,6 +13,17 @@
================================================================================
+Redis 7.0.4 Released Monday Jul 18 12:00:00 IST 2022
+================================================================================
+
+Upgrade urgency: SECURITY, contains fixes to security issues.
+
+Security Fixes:
+* (CVE-2022-31144) A specially crafted XAUTOCLAIM command on a stream
+  key in a specific state may result with heap overflow, and potentially
+  remote code execution. The problem affects Redis versions 7.0.0 or newer.
+
+================================================================================
 Redis 7.0.3 Released Monday Jul 11 12:00:00 IST 2022
 ================================================================================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/src/script_lua.c new/redis-7.0.4/src/script_lua.c
--- old/redis-7.0.3/src/script_lua.c	2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/src/script_lua.c	2022-07-18 15:04:07.000000000 +0200
@@ -334,7 +334,7 @@
     /* push a field indicate to ignore updating the stats on this error
      * because it was already updated when executing the command. */
     lua_pushstring(lua,"ignore_error_stats_update");
-    lua_pushboolean(lua, true);
+    lua_pushboolean(lua, 1);
     lua_settable(lua,-3);
 }
@@ -891,7 +891,7 @@
         /* push a field indicate to ignore updating the stats on this error
          * because it was already updated when executing the command. */
         lua_pushstring(lua,"ignore_error_stats_update");
-        lua_pushboolean(lua, true);
+        lua_pushboolean(lua, 1);
         lua_settable(lua,-3);
         goto cleanup;
     }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/src/t_stream.c new/redis-7.0.4/src/t_stream.c
--- old/redis-7.0.3/src/t_stream.c	2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/src/t_stream.c	2022-07-18 15:04:07.000000000 +0200
@@ -3421,6 +3421,7 @@
             /* Remember the ID for later */
             deleted_ids[deleted_id_num++] = id;
             raxSeek(&ri,">=",ri.key,ri.key_len);
+            count--; /* Count is a limit of the command response size. */
             continue;
         }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/src/version.h new/redis-7.0.4/src/version.h
--- old/redis-7.0.3/src/version.h	2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/src/version.h	2022-07-18 15:04:07.000000000 +0200
@@ -1,2 +1,2 @@
-#define REDIS_VERSION "7.0.3"
-#define REDIS_VERSION_NUM 0x00070003
+#define REDIS_VERSION "7.0.4"
+#define REDIS_VERSION_NUM 0x00070004
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redis-7.0.3/tests/unit/type/stream-cgroups.tcl new/redis-7.0.4/tests/unit/type/stream-cgroups.tcl
--- old/redis-7.0.3/tests/unit/type/stream-cgroups.tcl	2022-07-11 16:44:20.000000000 +0200
+++ new/redis-7.0.4/tests/unit/type/stream-cgroups.tcl	2022-07-18 15:04:07.000000000 +0200
@@ -584,9 +584,9 @@
         # from the PEL of consumer 1, this should return nil
         r XDEL mystream $id2
-        # id1 and id3 are self-claimed here but not id2 ('count' was set to 2)
+        # id1 and id3 are self-claimed here but not id2 ('count' was set to 3)
         # we make sure id2 is indeed skipped (the cursor points to id4)
-        set reply [r XAUTOCLAIM mystream mygroup consumer2 10 - COUNT 2]
+        set reply [r XAUTOCLAIM mystream mygroup consumer2 10 - COUNT 3]
assert_equal [llength $reply] 3
         assert_equal [lindex $reply 0] $id4
@@ -595,6 +595,8 @@
         assert_equal [llength [lindex $reply 1 0 1]] 2
         assert_equal [lindex $reply 1 0 1] {a 1}
         assert_equal [lindex $reply 1 1 1] {c 3}
+        assert_equal [llength [lindex $reply 2]] 1
+        assert_equal [llength [lindex $reply 2 0]] 1
# Delete item 3 from the stream. Now consumer 1 has PEL that is empty.
         # Try to use consumer 2 to claim the deleted item 3 from the PEL
@@ -701,6 +703,21 @@
         assert_equal [r XPENDING x grp - + 10 Alice] {}
     }
+    test {XAUTOCLAIM with XDEL and count} {
+        r DEL x
+        r XADD x 1-0 f v
+        r XADD x 2-0 f v
+        r XADD x 3-0 f v
+        r XGROUP CREATE x grp 0
+        assert_equal [r XREADGROUP GROUP grp Alice STREAMS x >] {{x {{1-0 {f v}} {2-0 {f v}} {3-0 {f v}}}}}
+        r XDEL x 1-0
+        r XDEL x 2-0
+        assert_equal [r XAUTOCLAIM x grp Bob 0 0-0 COUNT 1] {2-0 {} 1-0}
+        assert_equal [r XAUTOCLAIM x grp Bob 0 2-0 COUNT 1] {3-0 {} 2-0}
+        assert_equal [r XAUTOCLAIM x grp Bob 0 3-0 COUNT 1] {0-0 {{3-0 {f v}}} {}}
+        assert_equal [r XPENDING x grp - + 10 Alice] {}
+    }
+
     test {XCLAIM with trimming} {
         r DEL x
         r config set stream-node-max-entries 2
++++++ redis.hashes ++++++
--- /var/tmp/diff_new_pack.mHAvCF/_old	2022-07-31 23:00:46.719662924 +0200
+++ /var/tmp/diff_new_pack.mHAvCF/_new	2022-07-31 23:00:46.723662937 +0200
@@ -141,4 +141,5 @@
 hash redis-7.0.1.tar.gz sha256 ca1820d527e4759884620be2917079e61e996fa81da5fbe5c07c4a7b507264dc http://download.redis.io/releases/redis-7.0.1.tar.gz
 hash redis-7.0.2.tar.gz sha256 5e57eafe7d4ac5ecb6a7d64d6b61db775616dbf903293b3fcc660716dbda5eeb http://download.redis.io/releases/redis-7.0.2.tar.gz
 hash redis-7.0.3.tar.gz sha256 2cde7d17214ffe305953da9fff12333e8a72caa57fd4923e4872f6362a208e73 http://download.redis.io/releases/redis-7.0.3.tar.gz
+hash redis-7.0.4.tar.gz sha256 f0e65fda74c44a3dd4fa9d512d4d4d833dd0939c934e946a5c622a630d057f2f http://download.redis.io/releases/redis-7.0.4.tar.gz

    