diff --git a/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch new file mode 100644 index 0000000000..159f8341b2 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch @@ -0,0 +1,34 @@ +From 1b71849d83940971b95b7c576cdfbc9ff60d48b2 Mon Sep 17 00:00:00 2001 +From: YaacovHazan +Date: Tue, 27 May 2025 10:23:27 +0300 +Subject: [PATCH] Check length of AOF file name in redis-check-aof + (CVE-2025-27151) + +Ensure that the length of the input file name does not exceed PATH_MAX + +CVE: CVE-2025-27151 + +Upstream-Status: Backport [https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9] + +Signed-off-by: Gyorgy Sarvari +--- + src/redis-check-aof.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/redis-check-aof.c b/src/redis-check-aof.c +index e28126d..5b3ee2a 100644 +--- a/src/redis-check-aof.c ++++ b/src/redis-check-aof.c +@@ -547,6 +547,12 @@ int redis_check_aof_main(int argc, char **argv) { + goto invalid_args; + } + ++ /* Check if filepath is longer than PATH_MAX */ ++ if (strlen(filepath) > PATH_MAX) { ++ printf("Error: filepath is too long (exceeds PATH_MAX)\n"); ++ goto invalid_args; ++ } ++ + /* In the glibc implementation dirname may modify their argument. */ + memcpy(temp_filepath, filepath, strlen(filepath) + 1); + dirpath = dirname(temp_filepath); diff --git a/meta-oe/recipes-extended/redis/redis/0001-CVE-2025-27151.patch b/meta-oe/recipes-extended/redis/redis/0001-CVE-2025-27151.patch new file mode 100644 index 0000000000..dd2ce977a7 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/0001-CVE-2025-27151.patch @@ -0,0 +1,31 @@ +From 96f00cb60cb6e73c66375264227872053385bea2 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Tue, 7 Oct 2025 21:26:55 +0200 +Subject: [PATCH] CVE-2025-27151 + +Ensure that the length of the input file name does not exceed PATH_MAX + +CVE: CVE-2025-27151 +Upstream-Status: Backport [https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9] + +Signed-off-by: Gyorgy Sarvari +--- + src/redis-check-aof.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/redis-check-aof.c b/src/redis-check-aof.c +index 1507e0a..f7dd5cb 100644 +--- a/src/redis-check-aof.c ++++ b/src/redis-check-aof.c +@@ -164,6 +164,11 @@ int redis_check_aof_main(int argc, char **argv) { + exit(1); + } + ++ if (strlen(filename) > PATH_MAX) { ++ printf("Error: filename is too long (exceeds PATH_MAX)\n"); ++ exit(1); ++ } ++ + FILE *fp = fopen(filename,"r+"); + if (fp == NULL) { + printf("Cannot open file: %s\n", filename); diff --git a/meta-oe/recipes-extended/redis/redis_6.2.18.bb b/meta-oe/recipes-extended/redis/redis_6.2.18.bb index 13344beae4..179701bbf8 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.18.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.18.bb @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0004-src-Do-not-reset-FINAL_LIBS.patch \ file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ + file://0001-CVE-2025-27151.patch \ " SRC_URI[sha256sum] = "470c75bac73d7390be4dd66479c6f29e86371c5d380ce0c7efb4ba2bbda3612d" diff --git a/meta-oe/recipes-extended/redis/redis_7.2.8.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb index 38d8e5ffe9..fe811dcc7e 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.8.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0004-src-Do-not-reset-FINAL_LIBS.patch \ file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ + file://0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch \ " SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"