diff options
Diffstat (limited to 'databases/keydb/files')
| -rw-r--r-- | databases/keydb/files/patch-CVE-2024-46981 | 10 | ||||
| -rw-r--r-- | databases/keydb/files/patch-CVE-2025-46817 | 86 | ||||
| -rw-r--r-- | databases/keydb/files/patch-CVE-2025-49844 | 23 |
3 files changed, 119 insertions, 0 deletions
diff --git a/databases/keydb/files/patch-CVE-2024-46981 b/databases/keydb/files/patch-CVE-2024-46981 new file mode 100644 index 000000000000..867706e13e1f --- /dev/null +++ b/databases/keydb/files/patch-CVE-2024-46981 @@ -0,0 +1,10 @@ +--- src/scripting.cpp.orig 2025-10-06 22:03:52 UTC ++++ src/scripting.cpp +@@ -1330,6 +1330,7 @@ void scriptingRelease(int async) { + else + dictRelease(g_pserver->lua_scripts); + g_pserver->lua_scripts_mem = 0; ++ lua_gc(g_pserver->lua, LUA_GCCOLLECT, 0); + lua_close(g_pserver->lua); + } + diff --git a/databases/keydb/files/patch-CVE-2025-46817 b/databases/keydb/files/patch-CVE-2025-46817 new file mode 100644 index 000000000000..56ae3ec6378b --- /dev/null +++ b/databases/keydb/files/patch-CVE-2025-46817 @@ -0,0 +1,86 @@ +diff --git a/deps/lua/src/lbaselib.c b/deps/lua/src/lbaselib.c +index 2ab550bd48d..26172d15b40 100644 +--- deps/lua/src/lbaselib.c ++++ deps/lua/src/lbaselib.c +@@ -340,13 +340,14 @@ static int luaB_assert (lua_State *L) { + + + static int luaB_unpack (lua_State *L) { +- int i, e, n; ++ int i, e; ++ unsigned int n; + luaL_checktype(L, 1, LUA_TTABLE); + i = luaL_optint(L, 2, 1); + e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1)); + if (i > e) return 0; /* empty range */ +- n = e - i + 1; /* number of elements */ +- if (n <= 0 || !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */ ++ n = (unsigned int)e - (unsigned int)i; /* number of elements minus 1 */ ++ if (n >= INT_MAX || !lua_checkstack(L, ++n)) + return luaL_error(L, "too many results to unpack"); + lua_rawgeti(L, 1, i); /* push arg[i] (avoiding overflow problems) */ + while (i++ < e) /* push arg[i + 1...e] */ +diff --git a/deps/lua/src/ltable.c b/deps/lua/src/ltable.c +index f75fe19fe39..55575a8ace9 100644 +--- deps/lua/src/ltable.c ++++ deps/lua/src/ltable.c +@@ -434,8 +434,7 @@ static TValue *newkey (lua_State *L, Table *t, const TValue *key) { + ** search function for integers + */ + const TValue *luaH_getnum (Table *t, int key) { +- /* (1 <= key && key <= t->sizearray) */ +- if (cast(unsigned int, key-1) < cast(unsigned int, t->sizearray)) ++ if (1 <= key && key <= t->sizearray) + return &t->array[key-1]; + else { + lua_Number nk = cast_num(key); +diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl +index 333cc2692de..d45c63ceec3 100644 +--- tests/unit/scripting.tcl ++++ tests/unit/scripting.tcl +@@ -315,6 +315,45 @@ start_server {tags {"scripting"}} { + set e + } {*against a key*} + ++ test {EVAL - Test table unpack with invalid indexes} { ++ catch {run_script { return {unpack({1,2,3}, -2, 2147483647)} } 0} e ++ assert_match {*too many results to unpack*} $e ++ catch {run_script { return {unpack({1,2,3}, 0, 2147483647)} } 0} e ++ assert_match {*too many results to unpack*} $e ++ catch {run_script { return {unpack({1,2,3}, -2147483648, -2)} } 0} e ++ assert_match {*too many results to unpack*} $e ++ set res [run_script { return {unpack({1,2,3}, -1, -2)} } 0] ++ assert_match {} $res ++ set res [run_script { return {unpack({1,2,3}, 1, -1)} } 0] ++ assert_match {} $res ++ ++ # unpack with range -1 to 5, verify nil indexes ++ set res [run_script { ++ local function unpack_to_list(t, i, j) ++ local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)} ++ for i = 1, n do v[i] = v[i] or '_NIL_' end ++ v.n = n ++ return v ++ end ++ ++ return unpack_to_list({1,2,3}, -1, 5) ++ } 0] ++ assert_match {_NIL_ _NIL_ 1 2 3 _NIL_ _NIL_} $res ++ ++ # unpack with negative range, verify nil indexes ++ set res [run_script { ++ local function unpack_to_list(t, i, j) ++ local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)} ++ for i = 1, n do v[i] = v[i] or '_NIL_' end ++ v.n = n ++ return v ++ end ++ ++ return unpack_to_list({1,2,3}, -2147483648, -2147483646) ++ } 0] ++ assert_match {_NIL_ _NIL_ _NIL_} $res ++ } {} ++ + test {EVAL - JSON numeric decoding} { + # We must return the table as a string because otherwise + # Redis converts floats to ints and we get 0 and 1023 instead diff --git a/databases/keydb/files/patch-CVE-2025-49844 b/databases/keydb/files/patch-CVE-2025-49844 new file mode 100644 index 000000000000..d17aa3285453 --- /dev/null +++ b/databases/keydb/files/patch-CVE-2025-49844 @@ -0,0 +1,23 @@ +diff --git a/deps/lua/src/lparser.c b/deps/lua/src/lparser.c +index dda7488dcad..ee7d90c90d7 100644 +--- deps/lua/src/lparser.c ++++ deps/lua/src/lparser.c +@@ -384,13 +384,17 @@ Proto *luaY_parser (lua_State *L, ZIO *z, Mbuffer *buff, const char *name) { + struct LexState lexstate; + struct FuncState funcstate; + lexstate.buff = buff; +- luaX_setinput(L, &lexstate, z, luaS_new(L, name)); ++ TString *tname = luaS_new(L, name); ++ setsvalue2s(L, L->top, tname); ++ incr_top(L); ++ luaX_setinput(L, &lexstate, z, tname); + open_func(&lexstate, &funcstate); + funcstate.f->is_vararg = VARARG_ISVARARG; /* main func. is always vararg */ + luaX_next(&lexstate); /* read first token */ + chunk(&lexstate); + check(&lexstate, TK_EOS); + close_func(&lexstate); ++ --L->top; + lua_assert(funcstate.prev == NULL); + lua_assert(funcstate.f->nups == 0); + lua_assert(lexstate.fs == NULL); |