Wednesday, October 28, 2020

Re: [update] redis 6.0.9

On Tue, Oct 27 2020, Theo Buehler <tb@theobuehler.org> wrote:
> On Tue, Oct 27, 2020 at 07:18:30PM +0100, Jeremie Courreges-Anglas wrote:
>> On Tue, Oct 27 2020, Theo Buehler <tb@theobuehler.org> wrote:
>> > Raltively simple update to Redis 6.0.9.
>> >
>> > Upgrade urgency is MODERATE due to a local patch for zmalloc. Thanks to
>> > the upstream fix, we can now remove it. We need a new trivial time_t
>> > patch.
>>
>> [...]
>>
>> > Index: patches/patch-src_debug_c
>> > ===================================================================
>> > RCS file: patches/patch-src_debug_c
>> > diff -N patches/patch-src_debug_c
>> > --- /dev/null 1 Jan 1970 00:00:00 -0000
>> > +++ patches/patch-src_debug_c 27 Oct 2020 12:59:32 -0000
>> > @@ -0,0 +1,16 @@
>> > +$OpenBSD$
>> > +
>> > +time_t is long long on OpenBSD
>> > +
>> > +Index: src/debug.c
>> > +--- src/debug.c.orig
>> > ++++ src/debug.c
>> > +@@ -408,7 +408,7 @@ NULL
>> > + } else if (!strcasecmp(c->argv[1]->ptr,"segfault")) {
>> > + *((char*)-1) = 'x';
>> > + } else if (!strcasecmp(c->argv[1]->ptr,"panic")) {
>> > +- serverPanic("DEBUG PANIC called at Unix time %ld", time(NULL));
>> > ++ serverPanic("DEBUG PANIC called at Unix time %lld", time(NULL));
>>
>> The preferred approach would be
>>
>> ++ serverPanic("DEBUG PANIC called at Unix time %lld", (long long)time(NULL));
>>
>> which can usually be pushed upstream. redis seems to use "long long"
>> already so it shouldn't be a problem.
>
> Alright I'll add the cast before commit.
>
> There's another time_t patch in the port already. If you see a nicer
> variant for that (should we just use long long instead of time_t?), feel
> free to fix that.

The existing diff looks fine to me. IIUC it makes for proper logging of
this warning even on the first call of securityWarningCommand() on a 32
bits machine after y2038.

> $OpenBSD: patch-src_networking_c,v 1.4 2020/09/03 04:29:27 tb Exp $
>
> time_t is long long, so use llabs to avoid truncation
>
> Index: src/networking.c
> --- src/networking.c.orig
> +++ src/networking.c
> @@ -2651,7 +2651,7 @@ void securityWarningCommand(client *c) {
> static time_t logged_time;
> time_t now = time(NULL);
>
> - if (labs(now-logged_time) > 60) {
> + if (llabs(now-logged_time) > 60) {
> serverLog(LL_WARNING,"Possible SECURITY ATTACK detected. It looks like somebody is sending POST or Host: commands to Redis. This is likely due to an attacker attempting to use Cross Protocol Scripting to compromise your Redis instance. Connection aborted.");
> logged_time = now;
> }
>

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)