diff -Nru redis-3.0.6/debian/changelog redis-3.0.6/debian/changelog --- redis-3.0.6/debian/changelog 2015-12-19 11:27:43.000000000 +0000 +++ redis-3.0.6/debian/changelog 2018-12-07 17:12:18.000000000 +0000 @@ -1,3 +1,42 @@ +redis (2:3.0.6-1ubuntu0.3) xenial-security; urgency=medium + + * SECURITY UPDATE: Tighten Permissions + - Ensure /var/lib/redis and /var/log/redis are not world readable + - Set UMask=007 in redis-server.service, redis-sentinel.server + - Changes taken from Debian version 3:3.2.5-2 + - CVE-2016-2121 + + -- Mike Salvatore Fri, 07 Dec 2018 11:02:30 -0500 + +redis (2:3.0.6-1ubuntu0.2) xenial-security; urgency=medium + + * SECURITY UPDATE: Permissions issue + - debian/patches/CVE-2013-7458.patch: fix in + deps/linenoise/linenoise.c. + - CVE-2013-7458 + * SECURITY UPDATE: Cross protocol scripting + - debian/patches/CVE-2016-10517.patch: fix in + src/redis.c, src/redis.h. + - CVE-2016-10517 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2017-15047.patch: fix in + src/cluster.c. + - CVE-2017-15047 + * SECURITY UPDATE: Memory corruption + - debian/patches/CVE-2018-11218.patch: fix in + deps/lua/src/lua_cmsgpack.c. + - CVE-2018-11218 + * SECURITY UPDATE: Integer Overflow + - debian/patches/CVE-2018-11219-*.patch: fix in + deps/lua/src/lua_struct.c. + - CVE-2018-11219 + * SECURITY UPDATE: Buffer overflow in the redis-cli + - debian/patches/CVE-2018-12326.patch: fix in + redis-cli.c. + - CVE-2018-12326 + + -- Leonidas S. Barbosa Tue, 26 Jun 2018 17:12:39 -0300 + redis (2:3.0.6-1) unstable; urgency=medium * New upstream release. diff -Nru redis-3.0.6/debian/control redis-3.0.6/debian/control --- redis-3.0.6/debian/control 2015-12-19 11:27:43.000000000 +0000 +++ redis-3.0.6/debian/control 2018-06-26 20:15:29.000000000 +0000 @@ -1,7 +1,8 @@ Source: redis Section: database Priority: optional -Maintainer: Chris Lamb +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Chris Lamb Build-Depends: debhelper (>= 9), dh-systemd (>= 1.5), diff -Nru redis-3.0.6/debian/patches/CVE-2013-7458.patch redis-3.0.6/debian/patches/CVE-2013-7458.patch --- redis-3.0.6/debian/patches/CVE-2013-7458.patch 1970-01-01 00:00:00.000000000 +0000 +++ redis-3.0.6/debian/patches/CVE-2013-7458.patch 2018-06-26 20:11:45.000000000 +0000 @@ -0,0 +1,27 @@ +diff --git a/deps/linenoise/linenoise.c b/deps/linenoise/linenoise.c +index 36c0c5f..e3a8712 100644 +--- a/deps/linenoise/linenoise.c ++++ b/deps/linenoise/linenoise.c +@@ -112,6 +112,7 @@ + #include + #include + #include ++#include + #include + #include + #include "linenoise.h" +@@ -1071,10 +1072,14 @@ int linenoiseHistorySetMaxLen(int len) { + /* Save the history in the specified file. On success 0 is returned + * otherwise -1 is returned. */ + int linenoiseHistorySave(const char *filename) { ++ mode_t old_umask; ++ old_umask = umask(S_IXUSR|S_IRWXG|S_IRWXO); + FILE *fp = fopen(filename,"w"); ++ umask(old_umask); + int j; + + if (fp == NULL) return -1; ++ chmod(filename,S_IRUSR|S_IWUSR); + for (j = 0; j < history_len; j++) + fprintf(fp,"%s\n",history[j]); + fclose(fp); diff -Nru redis-3.0.6/debian/patches/CVE-2016-10517.patch redis-3.0.6/debian/patches/CVE-2016-10517.patch --- redis-3.0.6/debian/patches/CVE-2016-10517.patch 1970-01-01 00:00:00.000000000 +0000 +++ redis-3.0.6/debian/patches/CVE-2016-10517.patch 2018-06-26 20:12:06.000000000 +0000 @@ -0,0 +1,71 @@ +Backported of: + +From 874804da0c014a7d704b3d285aa500098a931f50 Mon Sep 17 00:00:00 2001 +From: antirez +Date: Wed, 3 Aug 2016 11:12:13 +0200 +Subject: [PATCH] Security: Cross Protocol Scripting protection. + +This is an attempt at mitigating problems due to cross protocol +scripting, an attack targeting services using line oriented protocols +like Redis that can accept HTTP requests as valid protocol, by +discarding the invalid parts and accepting the payloads sent, for +example, via a POST request. + +For this to be effective, when we detect POST and Host: and terminate +the connection asynchronously, the networking code was modified in order +to never process further input. It was later verified that in a +pipelined request containing a POST command, the successive commands are +not executed. +diff --git a/src/redis.c b/src/redis.c +index 8e792c1..083bd53 100644 +--- a/src/redis.c ++++ b/src/redis.c +@@ -271,6 +271,8 @@ struct redisCommand redisCommandTable[] = { + {"eval",evalCommand,-3,"s",0,evalGetKeys,0,0,0,0,0}, + {"evalsha",evalShaCommand,-3,"s",0,evalGetKeys,0,0,0,0,0}, + {"slowlog",slowlogCommand,-2,"r",0,NULL,0,0,0,0,0}, ++ {"post",securityWarningCommand,-1,"lt",0,NULL,0,0,0,0,0}, ++ {"host:",securityWarningCommand,-1,"lt",0,NULL,0,0,0,0,0}, + {"script",scriptCommand,-2,"rs",0,NULL,0,0,0,0,0}, + {"time",timeCommand,1,"rRF",0,NULL,0,0,0,0,0}, + {"bitop",bitopCommand,-4,"wm",0,NULL,2,-1,1,0,0}, +@@ -2482,6 +2484,27 @@ void echoCommand(redisClient *c) { + addReplyBulk(c,c->argv[1]); + } + ++/* This callback is bound to POST and "Host:" command names. Those are not ++ * really commands, but are used in security attacks in order to talk to ++ * Redis instances via HTTP, with a technique called "cross protocol scripting" ++ * which exploits the fact that services like Redis will discard invalid ++ * HTTP headers and will process what follows. ++ * ++ * As a protection against this attack, Redis will terminate the connection ++ * when a POST or "Host:" header is seen, and will log the event from ++ * time to time (to avoid creating a DOS as a result of too many logs). */ ++void securityWarningCommand(redisClient *c) { ++ static time_t logged_time; ++ time_t now = time(NULL); ++ ++ if (labs(now-logged_time) > 60) { ++ redisLog(REDIS_WARNING,"Possible SECURITY ATTACK detected. It looks like somebody is sending POST or Host: commands to Redis. This is likely due to an attacker attempting to use Cross Protocol Scripting to compromise your Redis instance. Connection aborted."); ++ logged_time = now; ++ } ++ c->flags |= REDIS_CLOSE_AFTER_REPLY; ++ addReply(c,createStringObject("",0)); ++} ++ + void timeCommand(redisClient *c) { + struct timeval tv; + +diff --git a/src/redis.h b/src/redis.h +index 6eb3ee8..d439e08 100644 +--- a/src/redis.h ++++ b/src/redis.h +@@ -1401,6 +1401,7 @@ void authCommand(redisClient *c); + void pingCommand(redisClient *c); + void echoCommand(redisClient *c); + void commandCommand(redisClient *c); ++void securityWarningCommand(redisClient *c); + void setCommand(redisClient *c); + void setnxCommand(redisClient *c); + void setexCommand(redisClient *c); diff -Nru redis-3.0.6/debian/patches/CVE-2017-15047.patch redis-3.0.6/debian/patches/CVE-2017-15047.patch --- redis-3.0.6/debian/patches/CVE-2017-15047.patch 1970-01-01 00:00:00.000000000 +0000 +++ redis-3.0.6/debian/patches/CVE-2017-15047.patch 2018-06-27 13:06:51.000000000 +0000 @@ -0,0 +1,42 @@ +From 3af3c7f3a55ddd98b07987d812898a84788409b4 Mon Sep 17 00:00:00 2001 +From: antirez +Date: Tue, 31 Oct 2017 09:41:22 +0100 +Subject: [PATCH] Fix buffer overflows occurring reading redis.conf. + +There was not enough sanity checking in the code loading the slots of +Redis Cluster from the nodes.conf file, this resulted into the +attacker's ability to write data at random addresses in the process +memory, by manipulating the index of the array. The bug seems +exploitable using the following techique: the config file may be altered so +that one of the nodes gets, as node ID (which is the first field inside the +structure) some data that is actually executable: then by writing this +address in selected places, this node ID part can be executed after a +jump. So it is mostly just a matter of effort in order to exploit the +bug. In practice however the issue is not very critical because the +bug requires an unprivileged user to be able to modify the Redis cluster +nodes configuration, and at the same time this should result in some +gain. However Redis normally is unprivileged as well. Yet much better to +have this fixed indeed. + +Fix #4278. +diff --git a/src/cluster.c b/src/cluster.c +index 8f07772..1b8bee7 100644 +--- a/src/cluster.c ++++ b/src/cluster.c +@@ -234,6 +234,7 @@ int clusterLoadConfig(char *filename) { + *p = '\0'; + direction = p[1]; /* Either '>' or '<' */ + slot = atoi(argv[j]+1); ++ if (slot < 0 || slot >= REDIS_CLUSTER_SLOTS) goto fmterr; + p += 3; + cn = clusterLookupNode(p); + if (!cn) { +@@ -253,6 +254,8 @@ int clusterLoadConfig(char *filename) { + } else { + start = stop = atoi(argv[j]); + } ++ if (start < 0 || start >= REDIS_CLUSTER_SLOTS) goto fmterr; ++ if (stop < 0 || stop >= REDIS_CLUSTER_SLOTS) goto fmterr; + while(start <= stop) clusterAddSlot(n, start++); + } + diff -Nru redis-3.0.6/debian/patches/CVE-2018-11218.patch redis-3.0.6/debian/patches/CVE-2018-11218.patch --- redis-3.0.6/debian/patches/CVE-2018-11218.patch 1970-01-01 00:00:00.000000000 +0000 +++ redis-3.0.6/debian/patches/CVE-2018-11218.patch 2018-06-26 20:12:25.000000000 +0000 @@ -0,0 +1,119 @@ +Backport of combined: + +From 5ccb6f7a791bf3490357b00a898885759d98bab0 Mon Sep 17 00:00:00 2001 +From: antirez +Date: Tue, 15 May 2018 12:29:56 +0200 +Subject: [PATCH] Security: more cmsgpack fixes by @soloestoy. + +@soloestoy sent me this additional fixes, after searching for similar +problems to the one reported in mp_pack(). I'm committing the changes +because it was not possible during to make a public PR to protect Redis +users and give Redis providers some time to patch their systems. + + +AND + +From 52a00201fca331217c3b4b8b634f6a0f57d6b7d3 Mon Sep 17 00:00:00 2001 +From: antirez +Date: Mon, 14 May 2018 17:45:40 +0200 +Subject: [PATCH] Security: fix Lua cmsgpack library stack overflow. + +During an auditing effort, the Apple Vulnerability Research team discovered +a critical Redis security issue affecting the Lua scripting part of Redis. + +-- Description of the problem + +Several years ago I merged a pull request including many small changes at +the Lua MsgPack library (that originally I authored myself). The Pull +Request entered Redis in commit 90b6337c1, in 2014. +Unfortunately one of the changes included a variadic Lua function that +lacked the check for the available Lua C stack. As a result, calling the +"pack" MsgPack library function with a large number of arguments, results +into pushing into the Lua C stack a number of new values proportional to +the number of arguments the function was called with. The pushed values, +moreover, are controlled by untrusted user input. + +This in turn causes stack smashing which we believe to be exploitable, +while not very deterministic, but it is likely that an exploit could be +created targeting specific versions of Redis executables. However at its +minimum the issue results in a DoS, crashing the Redis server. + +-- Versions affected + +Versions greater or equal to Redis 2.8.18 are affected. + +-- Reproducing + +Reproduce with this (based on the original reproduction script by +Apple security team): + +https://gist.github.com/antirez/82445fcbea6d9b19f97014cc6cc79f8a + +-- Verification of the fix + +The fix was tested in the following way: + +1) I checked that the problem is no longer observable running the trigger. +2) The Lua code was analyzed to understand the stack semantics, and that +actually enough stack is allocated in all the cases of mp_pack() calls. +3) The mp_pack() function was modified in order to show exactly what items +in the stack were being set, to make sure that there is no silent overflow +even after the fix. + +-- Credits + +Thank you to the Apple team and to the other persons that helped me +checking the patch and coordinating this communication. +diff --git a/deps/lua/src/lua_cmsgpack.c b/deps/lua/src/lua_cmsgpack.c +index 0b82d00..035e819 100644 +--- a/deps/lua/src/lua_cmsgpack.c ++++ b/deps/lua/src/lua_cmsgpack.c +@@ -387,6 +387,7 @@ void mp_encode_lua_table_as_array(lua_State *L, mp_buf *buf, int level) { + #endif + + mp_encode_array(buf,len); ++ luaL_checkstack(L, 1, "in function mp_encode_lua_table_as_array"); + for (j = 1; j <= len; j++) { + lua_pushnumber(L,j); + lua_gettable(L,-2); +@@ -402,6 +403,7 @@ void mp_encode_lua_table_as_map(lua_State *L, mp_buf *buf, int level) { + * Lua API, we need to iterate a first time. Note that an alternative + * would be to do a single run, and then hack the buffer to insert the + * map opcodes for message pack. Too hackish for this lib. */ ++ luaL_checkstack(L, 3, "in function mp_encode_lua_table_as_map"); + lua_pushnil(L); + while(lua_next(L,-2)) { + lua_pop(L,1); /* remove value, keep key for next iteration. */ +@@ -518,10 +520,14 @@ int mp_pack(lua_State *L) { + if (nargs == 0) + return luaL_argerror(L, 0, "MessagePack pack needs input."); + ++ if (!lua_checkstack(L, nargs)) ++ return luaL_argerror(L, 0, "Too many arguments for MessagePack pack."); ++ + buf = mp_buf_new(L); + for(i = 1; i <= nargs; i++) { + /* Copy argument i to top of stack for _encode processing; + * the encode function pops it from the stack when complete. */ ++ luaL_checkstack(L, 1, "in function mp_check"); + lua_pushvalue(L, i); + + mp_encode_lua_type(L,buf,0); +@@ -550,6 +556,7 @@ void mp_decode_to_lua_array(lua_State *L, mp_cur *c, size_t len) { + int index = 1; + + lua_newtable(L); ++ luaL_checkstack(L, 1, "in function mp_decode_to_lua_array"); + while(len--) { + lua_pushnumber(L,index++); + mp_decode_to_lua_type(L,c); +@@ -824,6 +831,9 @@ int mp_unpack_full(lua_State *L, int limit, int offset) { + * subtract the entire buffer size from the unprocessed size + * to get our next start offset */ + int offset = len - c.left; ++ ++ luaL_checkstack(L, 1, "in function mp_unpack_full"); ++ + /* Return offset -1 when we have have processed the entire buffer. */ + lua_pushinteger(L, c.left == 0 ? -1 : offset); + /* Results are returned with the arg elements still diff -Nru redis-3.0.6/debian/patches/CVE-2018-11219.patch redis-3.0.6/debian/patches/CVE-2018-11219.patch --- redis-3.0.6/debian/patches/CVE-2018-11219.patch 1970-01-01 00:00:00.000000000 +0000 +++ redis-3.0.6/debian/patches/CVE-2018-11219.patch 2018-06-26 20:12:30.000000000 +0000 @@ -0,0 +1,188 @@ +Bacported combined of: + + +From e89086e09a38cc6713bcd4b9c29abf92cf393936 Mon Sep 17 00:00:00 2001 +From: antirez +Date: Tue, 15 May 2018 13:13:49 +0200 +Subject: [PATCH] Security: fix Lua struct package offset handling. + +After the first fix to the struct package I found another similar +problem, which is fixed by this patch. It could be reproduced easily by +running the following script: + + return struct.unpack('f', "xxxxxxxxxxxxx",-3) + +The above will access bytes before the 'data' pointer. + +AND + + +From 1eb08bcd4634ae42ec45e8284923ac048beaa4c3 Mon Sep 17 00:00:00 2001 +From: antirez +Date: Mon, 14 May 2018 17:49:06 +0200 +Subject: [PATCH] Security: update Lua struct package for security. + +During an auditing Apple found that the "struct" Lua package +we ship with Redis (http://www.inf.puc-rio.br/~roberto/struct/) contains +a security problem. A bound-checking statement fails because of integer +overflow. The bug exists since we initially integrated this package with +Lua, when scripting was introduced, so every version of Redis with +EVAL/EVALSHA capabilities exposed is affected. + +Instead of just fixing the bug, the library was updated to the latest +version shipped by the author. +diff --git a/deps/lua/src/lua_struct.c b/deps/lua/src/lua_struct.c +index a602bb4..4d5f027 100644 +--- a/deps/lua/src/lua_struct.c ++++ b/deps/lua/src/lua_struct.c +@@ -1,7 +1,7 @@ + /* + ** {====================================================== + ** Library for packing/unpacking structures. +-** $Id: struct.c,v 1.4 2012/07/04 18:54:29 roberto Exp $ ++** $Id: struct.c,v 1.7 2018/05/11 22:04:31 roberto Exp $ + ** See Copyright Notice at the end of this file + ** ======================================================= + */ +@@ -15,8 +15,8 @@ + ** h/H - signed/unsigned short + ** l/L - signed/unsigned long + ** T - size_t +-** i/In - signed/unsigned integer with size `n' (default is size of int) +-** cn - sequence of `n' chars (from/to a string); when packing, n==0 means ++** i/In - signed/unsigned integer with size 'n' (default is size of int) ++** cn - sequence of 'n' chars (from/to a string); when packing, n==0 means + the whole string; when unpacking, n==0 means use the previous + read number as the string length + ** s - zero-terminated string +@@ -89,14 +89,12 @@ typedef struct Header { + } Header; + + +-static int getnum (lua_State *L, const char **fmt, int df) { ++static int getnum (const char **fmt, int df) { + if (!isdigit(**fmt)) /* no number? */ + return df; /* return default value */ + else { + int a = 0; + do { +- if (a > (INT_MAX / 10) || a * 10 > (INT_MAX - (**fmt - '0'))) +- luaL_error(L, "integral size overflow"); + a = a*10 + *((*fmt)++) - '0'; + } while (isdigit(**fmt)); + return a; +@@ -117,9 +115,9 @@ static size_t optsize (lua_State *L, char opt, const char **fmt) { + case 'f': return sizeof(float); + case 'd': return sizeof(double); + case 'x': return 1; +- case 'c': return getnum(L, fmt, 1); ++ case 'c': return getnum(fmt, 1); + case 'i': case 'I': { +- int sz = getnum(L, fmt, sizeof(int)); ++ int sz = getnum(fmt, sizeof(int)); + if (sz > MAXINTSIZE) + luaL_error(L, "integral size %d is larger than limit of %d", + sz, MAXINTSIZE); +@@ -152,7 +150,7 @@ static void controloptions (lua_State *L, int opt, const char **fmt, + case '>': h->endian = BIG; return; + case '<': h->endian = LITTLE; return; + case '!': { +- int a = getnum(L, fmt, MAXALIGN); ++ int a = getnum(fmt, MAXALIGN); + if (!isp2(a)) + luaL_error(L, "alignment %d is not a power of 2", a); + h->align = a; +@@ -295,21 +293,26 @@ static int b_unpack (lua_State *L) { + const char *fmt = luaL_checkstring(L, 1); + size_t ld; + const char *data = luaL_checklstring(L, 2, &ld); +- size_t pos = luaL_optinteger(L, 3, 1) - 1; ++ size_t pos = luaL_optinteger(L, 3, 1); ++ luaL_argcheck(L, pos > 0, 3, "offset must be 1 or greater"); ++ pos--; /* Lua indexes are 1-based, but here we want 0-based for C ++ * pointer math. */ ++ int n = 0; /* number of results */ + defaultoptions(&h); +- lua_settop(L, 2); + while (*fmt) { + int opt = *fmt++; + size_t size = optsize(L, opt, &fmt); + pos += gettoalign(pos, &h, opt, size); +- luaL_argcheck(L, pos+size <= ld, 2, "data string too short"); +- luaL_checkstack(L, 1, "too many results"); ++ luaL_argcheck(L, size <= ld && pos <= ld - size, ++ 2, "data string too short"); ++ /* stack space for item + next position */ ++ luaL_checkstack(L, 2, "too many results"); + switch (opt) { + case 'b': case 'B': case 'h': case 'H': + case 'l': case 'L': case 'T': case 'i': case 'I': { /* integer types */ + int issigned = islower(opt); + lua_Number res = getinteger(data+pos, h.endian, issigned, size); +- lua_pushnumber(L, res); ++ lua_pushnumber(L, res); n++; + break; + } + case 'x': { +@@ -319,25 +322,26 @@ static int b_unpack (lua_State *L) { + float f; + memcpy(&f, data+pos, size); + correctbytes((char *)&f, sizeof(f), h.endian); +- lua_pushnumber(L, f); ++ lua_pushnumber(L, f); n++; + break; + } + case 'd': { + double d; + memcpy(&d, data+pos, size); + correctbytes((char *)&d, sizeof(d), h.endian); +- lua_pushnumber(L, d); ++ lua_pushnumber(L, d); n++; + break; + } + case 'c': { + if (size == 0) { +- if (!lua_isnumber(L, -1)) +- luaL_error(L, "format `c0' needs a previous size"); ++ if (n == 0 || !lua_isnumber(L, -1)) ++ luaL_error(L, "format 'c0' needs a previous size"); + size = lua_tonumber(L, -1); +- lua_pop(L, 1); +- luaL_argcheck(L, pos+size <= ld, 2, "data string too short"); ++ lua_pop(L, 1); n--; ++ luaL_argcheck(L, size <= ld && pos <= ld - size, ++ 2, "data string too short"); + } +- lua_pushlstring(L, data+pos, size); ++ lua_pushlstring(L, data+pos, size); n++; + break; + } + case 's': { +@@ -345,15 +349,15 @@ static int b_unpack (lua_State *L) { + if (e == NULL) + luaL_error(L, "unfinished string in data"); + size = (e - (data+pos)) + 1; +- lua_pushlstring(L, data+pos, size - 1); ++ lua_pushlstring(L, data+pos, size - 1); n++; + break; + } + default: controloptions(L, opt, &fmt, &h); + } + pos += size; + } +- lua_pushinteger(L, pos + 1); +- return lua_gettop(L) - 2; ++ lua_pushinteger(L, pos + 1); /* next position */ ++ return n + 1; + } + + +@@ -399,7 +403,7 @@ LUALIB_API int luaopen_struct (lua_State *L) { + + + /****************************************************************************** +-* Copyright (C) 2010-2012 Lua.org, PUC-Rio. All rights reserved. ++* Copyright (C) 2010-2018 Lua.org, PUC-Rio. All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the diff -Nru redis-3.0.6/debian/patches/CVE-2018-12326.patch redis-3.0.6/debian/patches/CVE-2018-12326.patch --- redis-3.0.6/debian/patches/CVE-2018-12326.patch 1970-01-01 00:00:00.000000000 +0000 +++ redis-3.0.6/debian/patches/CVE-2018-12326.patch 2018-06-27 16:52:34.000000000 +0000 @@ -0,0 +1,50 @@ +From: antirez +Date: Mon, 11 Jun 2018 12:08:42 +0200 +Subject: Security: fix redis-cli buffer overflow. + +Thanks to Fakhri Zulkifli for reporting it. + +The fix switched to dynamic allocation, copying the final prompt in the +static buffer only at the end. + +Origin: upstream, https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50 +diff --git a/src/redis-cli.c b/src/redis-cli.c +index 93a0900..cd26463 100644 +--- a/src/redis-cli.c ++++ b/src/redis-cli.c +@@ -139,20 +139,23 @@ static long long mstime(void) { + } + + static void cliRefreshPrompt(void) { +- int len; +- +- if (config.hostsocket != NULL) +- len = snprintf(config.prompt,sizeof(config.prompt),"redis %s", +- config.hostsocket); +- else +- len = snprintf(config.prompt,sizeof(config.prompt), +- strchr(config.hostip,':') ? "[%s]:%d" : "%s:%d", +- config.hostip, config.hostport); ++ sds prompt = sdsempty(); ++ if (config.hostsocket != NULL) { ++ sdscatfmt(prompt,"redis %s",config.hostsocket); ++ } else { ++ char addr[256]; ++ snprintf(addr, sizeof(addr), strchr(config.hostip,':') ? ++ "[%s]:%d" : "%s:%d", config.hostip, config.hostport); ++ prompt = sdscatlen(prompt,addr,strlen(addr)); ++ } + /* Add [dbnum] if needed */ + if (config.dbnum != 0 && config.last_cmd_type != REDIS_REPLY_ERROR) +- len += snprintf(config.prompt+len,sizeof(config.prompt)-len,"[%d]", +- config.dbnum); +- snprintf(config.prompt+len,sizeof(config.prompt)-len,"> "); ++ prompt = sdscatfmt(prompt,"[%i]",config.dbnum); ++ ++ /* Copy the prompt in the static buffer. */ ++ prompt = sdscatlen(prompt,"> ",2); ++ snprintf(config.prompt,sizeof(config.prompt),"%s",prompt); ++ sdsfree(prompt); + } + + static sds getHistoryPath() { diff -Nru redis-3.0.6/debian/patches/series redis-3.0.6/debian/patches/series --- redis-3.0.6/debian/patches/series 2015-12-19 11:27:43.000000000 +0000 +++ redis-3.0.6/debian/patches/series 2018-06-27 16:52:34.000000000 +0000 @@ -3,3 +3,9 @@ 03-use-system-jemalloc.diff 04-dpkg-buildflags.diff 05-reproducible-build.diff +CVE-2013-7458.patch +CVE-2016-10517.patch +CVE-2017-15047.patch +CVE-2018-11218.patch +CVE-2018-11219.patch +CVE-2018-12326.patch diff -Nru redis-3.0.6/debian/redis-sentinel.service redis-3.0.6/debian/redis-sentinel.service --- redis-3.0.6/debian/redis-sentinel.service 2015-12-19 11:27:43.000000000 +0000 +++ redis-3.0.6/debian/redis-sentinel.service 2018-12-07 15:41:47.000000000 +0000 @@ -18,6 +18,7 @@ ExecStop=/bin/kill -s TERM $MAINPID ExecStopPost=-/bin/run-parts --verbose /etc/redis/redis-sentinel.post-down.d +UMask=007 PrivateTmp=yes PrivateDevices=yes ProtectHome=yes diff -Nru redis-3.0.6/debian/redis-server.postinst redis-3.0.6/debian/redis-server.postinst --- redis-3.0.6/debian/redis-server.postinst 2015-12-19 11:27:43.000000000 +0000 +++ redis-3.0.6/debian/redis-server.postinst 2018-12-07 15:43:04.000000000 +0000 @@ -18,7 +18,11 @@ for DIR in /var/lib/redis /var/log/redis do mkdir -p ${DIR} - chown -R ${USER}:${GROUP} ${DIR} + if ! dpkg-statoverride --list ${DIR} >/dev/null 2>&1 + then + chown -R ${USER}:${GROUP} ${DIR} + chmod 750 ${DIR} + fi done if ! dpkg-statoverride --list ${CONFFILE} >/dev/null 2>&1 diff -Nru redis-3.0.6/debian/redis-server.service redis-3.0.6/debian/redis-server.service --- redis-3.0.6/debian/redis-server.service 2015-12-19 11:27:43.000000000 +0000 +++ redis-3.0.6/debian/redis-server.service 2018-12-07 15:42:05.000000000 +0000 @@ -18,6 +18,7 @@ ExecStop=/bin/kill -s TERM $MAINPID ExecStopPost=-/bin/run-parts --verbose /etc/redis/redis-server.post-down.d +UMask=007 PrivateTmp=yes PrivateDevices=yes ProtectHome=yes