summaryrefslogtreecommitdiff
path: root/dev-db
diff options
context:
space:
mode:
authorPetr Vaněk <arkamar@atlas.cz>2022-10-22 11:43:38 +0200
committerJoonas Niilola <juippis@gentoo.org>2022-11-11 17:10:06 +0200
commit355ad01f1b82d113b950ea3e483a7c2bc54bed6d (patch)
treee1833d8b5d0923f4508f99433f13aba35eedfdc6 /dev-db
parentnet-misc/nextcloud-client: add 3.6.2 (diff)
downloadgentoo-355ad01f1b82d113b950ea3e483a7c2bc54bed6d.tar.gz
gentoo-355ad01f1b82d113b950ea3e483a7c2bc54bed6d.tar.bz2
gentoo-355ad01f1b82d113b950ea3e483a7c2bc54bed6d.zip
dev-db/redis: apply recommended patch for CVE-2022-3647 to 7.0.5
The patch is taken from upstream as is. Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3 Bug: https://bugs.gentoo.org/877863 Signed-off-by: Petr Vaněk <arkamar@atlas.cz> Signed-off-by: Joonas Niilola <juippis@gentoo.org>
Diffstat (limited to 'dev-db')
-rw-r--r--dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch173
-rw-r--r--dev-db/redis/redis-7.0.5-r1.ebuild191
2 files changed, 364 insertions, 0 deletions
diff --git a/dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch b/dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch
new file mode 100644
index 000000000000..8f5eaff13fed
--- /dev/null
+++ b/dev-db/redis/files/redis-7.0.5-cve-2022-3647.patch
@@ -0,0 +1,173 @@
+This is the patch recommended to apply in order to fix CVE-2022-3647.
+
+Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3
+Bug: https://bugs.gentoo.org/877863
+
+diff --git a/src/debug.c b/src/debug.c
+index 8cc811be4..b15ac8780 100644
+--- a/src/debug.c
++++ b/src/debug.c
+@@ -1123,73 +1123,88 @@ void bugReportStart(void) {
+ }
+
+ #ifdef HAVE_BACKTRACE
+-static void *getMcontextEip(ucontext_t *uc) {
++
++/* Returns the current eip and set it to the given new value (if its not NULL) */
++static void* getAndSetMcontextEip(ucontext_t *uc, void *eip) {
+ #define NOT_SUPPORTED() do {\
+ UNUSED(uc);\
++ UNUSED(eip);\
+ return NULL;\
+ } while(0)
++#define GET_SET_RETURN(target_var, new_val) do {\
++ void *old_val = (void*)target_var; \
++ if (new_val) { \
++ void **temp = (void**)&target_var; \
++ *temp = new_val; \
++ } \
++ return old_val; \
++} while(0)
+ #if defined(__APPLE__) && !defined(MAC_OS_X_VERSION_10_6)
+ /* OSX < 10.6 */
+ #if defined(__x86_64__)
+- return (void*) uc->uc_mcontext->__ss.__rip;
++ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip);
+ #elif defined(__i386__)
+- return (void*) uc->uc_mcontext->__ss.__eip;
++ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip);
+ #else
+- return (void*) uc->uc_mcontext->__ss.__srr0;
++ GET_SET_RETURN(uc->uc_mcontext->__ss.__srr0, eip);
+ #endif
+ #elif defined(__APPLE__) && defined(MAC_OS_X_VERSION_10_6)
+ /* OSX >= 10.6 */
+ #if defined(_STRUCT_X86_THREAD_STATE64) && !defined(__i386__)
+- return (void*) uc->uc_mcontext->__ss.__rip;
++ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip);
+ #elif defined(__i386__)
+- return (void*) uc->uc_mcontext->__ss.__eip;
++ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip);
+ #else
+ /* OSX ARM64 */
+- return (void*) arm_thread_state64_get_pc(uc->uc_mcontext->__ss);
++ void *old_val = (void*)arm_thread_state64_get_pc(uc->uc_mcontext->__ss);
++ if (eip) {
++ arm_thread_state64_set_pc_fptr(uc->uc_mcontext->__ss, eip);
++ }
++ return old_val;
+ #endif
+ #elif defined(__linux__)
+ /* Linux */
+ #if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__))
+- return (void*) uc->uc_mcontext.gregs[14]; /* Linux 32 */
++ GET_SET_RETURN(uc->uc_mcontext.gregs[14], eip);
+ #elif defined(__X86_64__) || defined(__x86_64__)
+- return (void*) uc->uc_mcontext.gregs[16]; /* Linux 64 */
++ GET_SET_RETURN(uc->uc_mcontext.gregs[16], eip);
+ #elif defined(__ia64__) /* Linux IA64 */
+- return (void*) uc->uc_mcontext.sc_ip;
++ GET_SET_RETURN(uc->uc_mcontext.sc_ip, eip);
+ #elif defined(__arm__) /* Linux ARM */
+- return (void*) uc->uc_mcontext.arm_pc;
++ GET_SET_RETURN(uc->uc_mcontext.arm_pc, eip);
+ #elif defined(__aarch64__) /* Linux AArch64 */
+- return (void*) uc->uc_mcontext.pc;
++ GET_SET_RETURN(uc->uc_mcontext.pc, eip);
+ #else
+ NOT_SUPPORTED();
+ #endif
+ #elif defined(__FreeBSD__)
+ /* FreeBSD */
+ #if defined(__i386__)
+- return (void*) uc->uc_mcontext.mc_eip;
++ GET_SET_RETURN(uc->uc_mcontext.mc_eip, eip);
+ #elif defined(__x86_64__)
+- return (void*) uc->uc_mcontext.mc_rip;
++ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip);
+ #else
+ NOT_SUPPORTED();
+ #endif
+ #elif defined(__OpenBSD__)
+ /* OpenBSD */
+ #if defined(__i386__)
+- return (void*) uc->sc_eip;
++ GET_SET_RETURN(uc->sc_eip, eip);
+ #elif defined(__x86_64__)
+- return (void*) uc->sc_rip;
++ GET_SET_RETURN(uc->sc_rip, eip);
+ #else
+ NOT_SUPPORTED();
+ #endif
+ #elif defined(__NetBSD__)
+ #if defined(__i386__)
+- return (void*) uc->uc_mcontext.__gregs[_REG_EIP];
++ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_EIP], eip);
+ #elif defined(__x86_64__)
+- return (void*) uc->uc_mcontext.__gregs[_REG_RIP];
++ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_RIP], eip);
+ #else
+ NOT_SUPPORTED();
+ #endif
+ #elif defined(__DragonFly__)
+- return (void*) uc->uc_mcontext.mc_rip;
++ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip);
+ #else
+ NOT_SUPPORTED();
+ #endif
+@@ -1951,6 +1966,10 @@ void dumpCodeAroundEIP(void *eip) {
+ }
+ }
+
++void invalidFunctionWasCalled() {}
++
++typedef void (*invalidFunctionWasCalledType)();
++
+ void sigsegvHandler(int sig, siginfo_t *info, void *secret) {
+ UNUSED(secret);
+ UNUSED(info);
+@@ -1968,13 +1987,30 @@ void sigsegvHandler(int sig, siginfo_t *info, void *secret) {
+
+ #ifdef HAVE_BACKTRACE
+ ucontext_t *uc = (ucontext_t*) secret;
+- void *eip = getMcontextEip(uc);
++ void *eip = getAndSetMcontextEip(uc, NULL);
+ if (eip != NULL) {
+ serverLog(LL_WARNING,
+ "Crashed running the instruction at: %p", eip);
+ }
+
+- logStackTrace(getMcontextEip(uc), 1);
++ if (eip == info->si_addr) {
++ /* When eip matches the bad address, it's an indication that we crashed when calling a non-mapped
++ * function pointer. In that case the call to backtrace will crash trying to access that address and we
++ * won't get a crash report logged. Set it to a valid point to avoid that crash. */
++
++ /* This trick allow to avoid compiler warning */
++ void *ptr;
++ invalidFunctionWasCalledType *ptr_ptr = (invalidFunctionWasCalledType*)&ptr;
++ *ptr_ptr = invalidFunctionWasCalled;
++ getAndSetMcontextEip(uc, ptr);
++ }
++
++ logStackTrace(eip, 1);
++
++ if (eip == info->si_addr) {
++ /* Restore old eip */
++ getAndSetMcontextEip(uc, eip);
++ }
+
+ logRegisters(uc);
+ #endif
+@@ -2079,7 +2115,7 @@ void watchdogSignalHandler(int sig, siginfo_t *info, void *secret) {
+
+ serverLogFromHandler(LL_WARNING,"\n--- WATCHDOG TIMER EXPIRED ---");
+ #ifdef HAVE_BACKTRACE
+- logStackTrace(getMcontextEip(uc), 1);
++ logStackTrace(getAndSetMcontextEip(uc, NULL), 1);
+ #else
+ serverLogFromHandler(LL_WARNING,"Sorry: no support for backtrace().");
+ #endif
+--
+2.37.4
+
diff --git a/dev-db/redis/redis-7.0.5-r1.ebuild b/dev-db/redis/redis-7.0.5-r1.ebuild
new file mode 100644
index 000000000000..83d9c9646600
--- /dev/null
+++ b/dev-db/redis/redis-7.0.5-r1.ebuild
@@ -0,0 +1,191 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# N.B.: It is no clue in porting to Lua eclasses, as upstream have deviated
+# too far from vanilla Lua, adding their own APIs like lua_enablereadonlytable
+
+inherit autotools edo flag-o-matic multiprocessing systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="A persistent caching system, key-value, and data structures database"
+HOMEPAGE="https://redis.io"
+SRC_URI="https://download.redis.io/releases/${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-solaris"
+IUSE="+jemalloc selinux ssl systemd tcmalloc test"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ jemalloc? ( >=dev-libs/jemalloc-5.1:= )
+ ssl? ( dev-libs/openssl:0= )
+ systemd? ( sys-apps/systemd:= )
+ tcmalloc? ( dev-util/google-perftools )
+"
+
+RDEPEND="
+ ${COMMON_DEPEND}
+ acct-group/redis
+ acct-user/redis
+ selinux? ( sec-policy/selinux-redis )
+"
+
+BDEPEND="
+ ${COMMON_DEPEND}
+ virtual/pkgconfig
+"
+
+# Tcl is only needed in the CHOST test env
+DEPEND="
+ ${COMMON_DEPEND}
+ test? (
+ dev-lang/tcl:0=
+ ssl? ( dev-tcltk/tls )
+ )"
+
+REQUIRED_USE="?? ( jemalloc tcmalloc )"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-6.2.1-config.patch
+ "${FILESDIR}"/${PN}-5.0-shared.patch
+ "${FILESDIR}"/${PN}-6.2.3-ppc-atomic.patch
+ "${FILESDIR}"/${PN}-sentinel-5.0-config.patch
+ "${FILESDIR}"/${PN}-7.0.4-no-which.patch
+ "${FILESDIR}"/${PN}-7.0.4-replica-tests-fix.patch
+
+ # see bug 877863
+ "${FILESDIR}/${PN}-7.0.5-cve-2022-3647.patch"
+)
+
+src_prepare() {
+ default
+
+ # Append cflag for lua_cjson
+ # https://github.com/antirez/redis/commit/4fdcd213#diff-3ba529ae517f6b57803af0502f52a40bL61
+ append-cflags "-DENABLE_CJSON_GLOBAL"
+
+ # now we will rewrite present Makefiles
+ local makefiles="" MKF
+ for MKF in $(find -name 'Makefile' | cut -b 3-); do
+ mv "${MKF}" "${MKF}.in"
+ sed -i -e 's:$(CC):@CC@:g' \
+ -e 's:$(CFLAGS):@AM_CFLAGS@:g' \
+ -e 's: $(DEBUG)::g' \
+ -e 's:$(OBJARCH)::g' \
+ -e 's:ARCH:TARCH:g' \
+ -e '/^CCOPT=/s:$: $(LDFLAGS):g' \
+ "${MKF}.in" \
+ || die "Sed failed for ${MKF}"
+ makefiles+=" ${MKF}"
+ done
+ # autodetection of compiler and settings; generates the modified Makefiles
+ cp "${FILESDIR}"/configure.ac-7.0 configure.ac || die
+
+ sed -i \
+ -e "/^AC_INIT/s|, __PV__, |, $PV, |" \
+ -e "s:AC_CONFIG_FILES(\[Makefile\]):AC_CONFIG_FILES([${makefiles}]):g" \
+ configure.ac || die "Sed failed for configure.ac"
+ eautoreconf
+}
+
+src_configure() {
+ econf
+
+ # Linenoise can't be built with -std=c99, see https://bugs.gentoo.org/451164
+ # also, don't define ANSI/c99 for lua twice
+ sed -i -e "s:-std=c99::g" deps/linenoise/Makefile deps/Makefile || die
+}
+
+src_compile() {
+ local myconf=""
+
+ if use jemalloc; then
+ myconf+="MALLOC=jemalloc"
+ elif use tcmalloc; then
+ myconf+="MALLOC=tcmalloc"
+ else
+ myconf+="MALLOC=libc"
+ fi
+
+ if use ssl; then
+ myconf+=" BUILD_TLS=yes"
+ fi
+
+ export USE_SYSTEMD=$(usex systemd)
+
+ tc-export AR CC RANLIB
+ emake V=1 ${myconf} AR="${AR}" CC="${CC}" RANLIB="${RANLIB}"
+}
+
+src_test() {
+ local runtestargs=(
+ --clients "$(makeopts_jobs)" # see bug #649868
+
+ --skiptest "Active defrag eval scripts" # see bug #851654
+ )
+
+ if has usersandbox ${FEATURES} || ! has userpriv ${FEATURES}; then
+ ewarn "oom-score-adj related tests will be skipped." \
+ "They are known to fail with FEATURES usersandbox or -userpriv. See bug #756382."
+
+ runtestargs+=(
+ # unit/oom-score-adj was introduced in version 6.2.0
+ --skipunit unit/oom-score-adj # see bug #756382
+
+ # Following test was added in version 7.0.0 to unit/introspection.
+ # It also tries to adjust OOM score.
+ --skiptest "CONFIG SET rollback on apply error"
+ )
+ fi
+
+ if use ssl; then
+ edo ./utils/gen-test-certs.sh
+ runtestargs+=( --tls )
+ fi
+
+ edo ./runtest "${runtestargs[@]}"
+}
+
+src_install() {
+ insinto /etc/redis
+ doins redis.conf sentinel.conf
+ use prefix || fowners -R redis:redis /etc/redis /etc/redis/{redis,sentinel}.conf
+ fperms 0750 /etc/redis
+ fperms 0644 /etc/redis/{redis,sentinel}.conf
+
+ newconfd "${FILESDIR}/redis.confd-r2" redis
+ newinitd "${FILESDIR}/redis.initd-6" redis
+
+ systemd_newunit "${FILESDIR}/redis.service-4" redis.service
+ newtmpfiles "${FILESDIR}/redis.tmpfiles-2" redis.conf
+
+ newconfd "${FILESDIR}/redis-sentinel.confd-r1" redis-sentinel
+ newinitd "${FILESDIR}/redis-sentinel.initd-r1" redis-sentinel
+
+ insinto /etc/logrotate.d/
+ newins "${FILESDIR}/${PN}.logrotate" ${PN}
+
+ dodoc 00-RELEASENOTES BUGS CONTRIBUTING.md MANIFESTO README.md
+
+ dobin src/redis-cli
+ dosbin src/redis-benchmark src/redis-server src/redis-check-aof src/redis-check-rdb
+ fperms 0750 /usr/sbin/redis-benchmark
+ dosym redis-server /usr/sbin/redis-sentinel
+
+ if use prefix; then
+ diropts -m0750
+ else
+ diropts -m0750 -o redis -g redis
+ fi
+ keepdir /var/{log,lib}/redis
+}
+
+pkg_postinst() {
+ tmpfiles_process redis.conf
+
+ ewarn "The default redis configuration file location changed to:"
+ ewarn " /etc/redis/{redis,sentinel}.conf"
+ ewarn "Please apply your changes to the new configuration files."
+}