Version in base suite: 7.0.15-1~deb12u2

Base version: redis_7.0.15-1~deb12u2
Target version: redis_7.0.15-1~deb12u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/redis/redis_7.0.15-1~deb12u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/redis/redis_7.0.15-1~deb12u3.dsc

 changelog                                                               |    9 +
 patches/0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch        |   31 +++
 patches/0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch |   90 ++++++++++
 patches/series                                                          |    2 
 4 files changed, 132 insertions(+)

diff -Nru redis-7.0.15/debian/changelog redis-7.0.15/debian/changelog
--- redis-7.0.15/debian/changelog	2024-11-28 21:28:52.000000000 +0000
+++ redis-7.0.15/debian/changelog	2025-01-19 10:41:08.000000000 +0000
@@ -1,3 +1,12 @@
+redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2024-46981: LUA garbage collector code execution
+  * CVE-2024-51741: DoS due to malformed ACL selectors
+  * Closes: #1092370
+
+ -- Adrian Bunk <bunk@debian.org>  Sun, 19 Jan 2025 12:41:08 +0200
+
 redis (5:7.0.15-1~deb12u2) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru redis-7.0.15/debian/patches/0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch redis-7.0.15/debian/patches/0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch
--- redis-7.0.15/debian/patches/0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch	1970-01-01 00:00:00.000000000 +0000
+++ redis-7.0.15/debian/patches/0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch	2025-01-18 22:28:16.000000000 +0000
@@ -0,0 +1,31 @@
+From 8d98d2decd9c6098d7015e14ce49628413118974 Mon Sep 17 00:00:00 2001
+From: Madelyn Olson <madelyneolson@gmail.com>
+Date: Mon, 6 Jan 2025 14:02:22 -0800
+Subject: Fix LUA garbage collector (CVE-2024-46981) (#1513)
+
+Reset GC state before closing the lua VM to prevent user data to be
+wrongly freed while still might be used on destructor callbacks.
+
+Created and publish by Redis in their OSS branch.
+
+Signed-off-by: Madelyn Olson <madelyneolson@gmail.com>
+Co-authored-by: YaacovHazan <yaacov.hazan@redis.com>
+---
+ src/eval.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/eval.c b/src/eval.c
+index 81908567d..a56233524 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -273,6 +273,7 @@ void scriptingRelease(int async) {
+     else
+         dictRelease(lctx.lua_scripts);
+     lctx.lua_scripts_mem = 0;
++    lua_gc(lctx.lua, LUA_GCCOLLECT, 0);
+     lua_close(lctx.lua);
+ }
+ 
+-- 
+2.30.2
+
diff -Nru redis-7.0.15/debian/patches/0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch redis-7.0.15/debian/patches/0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch
--- redis-7.0.15/debian/patches/0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ redis-7.0.15/debian/patches/0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch	2025-01-18 22:28:16.000000000 +0000
@@ -0,0 +1,90 @@
+From 4bb7ae751d8a0b2b277b395a3b9b004197d0cb69 Mon Sep 17 00:00:00 2001
+From: Madelyn Olson <madelyneolson@gmail.com>
+Date: Mon, 6 Jan 2025 14:02:16 -0800
+Subject: Fix Read/Write key pattern selector (CVE-2024-51741) (#1514)
+
+The explanation on the original commit was wrong. Key based access must
+have a `~` in order to correctly configure whey key prefixes to apply
+the selector to. If this is missing, a server assert will be triggered
+later.
+
+Signed-off-by: Madelyn Olson <madelyneolson@gmail.com>
+Co-authored-by: YaacovHazan <yaacov.hazan@redis.com>
+---
+ src/acl.c             | 11 ++++++++---
+ tests/unit/acl-v2.tcl | 23 ++++++++++++++++++++++-
+ 2 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/src/acl.c b/src/acl.c
+index 6b53d901c..ed6dc97e4 100644
+--- a/src/acl.c
++++ b/src/acl.c
+@@ -1031,19 +1031,24 @@ int ACLSetSelector(aclSelector *selector, const char* op, size_t oplen) {
+         int flags = 0;
+         size_t offset = 1;
+         if (op[0] == '%') {
++            int perm_ok = 1;
+             for (; offset < oplen; offset++) {
+                 if (toupper(op[offset]) == 'R' && !(flags & ACL_READ_PERMISSION)) {
+                     flags |= ACL_READ_PERMISSION;
+                 } else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) {
+                     flags |= ACL_WRITE_PERMISSION;
+-                } else if (op[offset] == '~' && flags) {
++                } else if (op[offset] == '~') {
+                     offset++;
+                     break;
+                 } else {
+-                    errno = EINVAL;
+-                    return C_ERR;
++                    perm_ok = 0;
++                    break;
+                 }
+             }
++            if (!flags || !perm_ok) {
++                errno = EINVAL;
++                return C_ERR;
++            }
+         } else {
+             flags = ACL_ALL_PERMISSION;
+         }
+diff --git a/tests/unit/acl-v2.tcl b/tests/unit/acl-v2.tcl
+index 114fadec3..847980c8a 100644
+--- a/tests/unit/acl-v2.tcl
++++ b/tests/unit/acl-v2.tcl
+@@ -107,11 +107,32 @@ start_server {tags {"acl external:skip"}} {
+         assert_match "*NOPERM*keys*" $err
+     }
+ 
+-    test {Validate read and write permissions format} {
++    test {Validate read and write permissions format - empty permission} {
+         catch {r ACL SETUSER key-permission-RW %~} err
+         set err
+     } {ERR Error in ACL SETUSER modifier '%~': Syntax error}
+ 
++    test {Validate read and write permissions format - empty selector} {
++        catch {r ACL SETUSER key-permission-RW %} err
++        set err
++    } {ERR Error in ACL SETUSER modifier '%': Syntax error}
++
++    test {Validate read and write permissions format - empty pattern} {
++        # Empty pattern results with R/W access to no key
++        r ACL SETUSER key-permission-RW on nopass %RW~ +@all
++        $r2 auth key-permission-RW password
++        catch {$r2 SET x 5} err
++        set err
++    } {NOPERM this user has no permissions to access one of the keys used as arguments}
++
++    test {Validate read and write permissions format - no pattern} {
++        # No pattern results with R/W access to no key (currently we accept this syntax error)
++        r ACL SETUSER key-permission-RW on nopass %RW +@all
++        $r2 auth key-permission-RW password
++        catch {$r2 SET x 5} err
++        set err
++    } {NOPERM this user has no permissions to access one of the keys used as arguments}
++
+     test {Test separate read and write permissions on different selectors are not additive} {
+         r ACL SETUSER key-permission-RW-selector on nopass "(%R~read* +@all)" "(%W~write* +@all)"
+         $r2 auth key-permission-RW-selector password
+-- 
+2.30.2
+
diff -Nru redis-7.0.15/debian/patches/series redis-7.0.15/debian/patches/series
--- redis-7.0.15/debian/patches/series	2024-11-28 21:28:52.000000000 +0000
+++ redis-7.0.15/debian/patches/series	2025-01-18 22:28:16.000000000 +0000
@@ -4,3 +4,5 @@
 0003-Use-get_current_dir_name-over-PATHMAX.patch
 0004-Add-support-for-USE_SYSTEM_JEMALLOC-flag.patch
 0001-Apply-security-fixes-for-CVEs-1113.patch
+0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch
+0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch