Version in base suite: 7.0.15-1~deb12u3 Base version: redis_7.0.15-1~deb12u3 Target version: redis_7.0.15-1~deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/redis/redis_7.0.15-1~deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/redis/redis_7.0.15-1~deb12u4.dsc changelog | 8 + patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch | 60 ++++++++++ patches/series | 1 3 files changed, 69 insertions(+) diff -Nru redis-7.0.15/debian/changelog redis-7.0.15/debian/changelog --- redis-7.0.15/debian/changelog 2025-01-19 10:41:08.000000000 +0000 +++ redis-7.0.15/debian/changelog 2025-05-09 16:15:20.000000000 +0000 @@ -1,3 +1,11 @@ +redis (5:7.0.15-1~deb12u4) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2025-21605: Limit output buffer for unauthenticated clients + (Closes: #1104010) + + -- Adrian Bunk Fri, 09 May 2025 19:15:20 +0300 + redis (5:7.0.15-1~deb12u3) bookworm-security; urgency=medium * Non-maintainer upload. diff -Nru redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch --- redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch 1970-01-01 00:00:00.000000000 +0000 +++ redis-7.0.15/debian/patches/0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch 2025-05-09 16:14:31.000000000 +0000 @@ -0,0 +1,60 @@ +From 81f549f61799175bca3b126f749a8891832dd187 Mon Sep 17 00:00:00 2001 +From: YaacovHazan +Date: Wed, 23 Apr 2025 08:09:40 +0000 +Subject: Limiting output buffer for unauthenticated client (CVE-2025-21605) + +For unauthenticated clients the output buffer is limited to prevent +them from abusing it by not reading the replies +--- + src/networking.c | 5 +++++ + tests/unit/auth.tcl | 18 ++++++++++++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/src/networking.c b/src/networking.c +index 90cc64d70..386773eee 100644 +--- a/src/networking.c ++++ b/src/networking.c +@@ -3757,6 +3757,11 @@ int checkClientOutputBufferLimits(client *c) { + int soft = 0, hard = 0, class; + unsigned long used_mem = getClientOutputBufferMemoryUsage(c); + ++ /* For unauthenticated clients the output buffer is limited to prevent ++ * them from abusing it by not reading the replies */ ++ if (used_mem > 1024 && authRequired(c)) ++ return 1; ++ + class = getClientType(c); + /* For the purpose of output buffer limiting, masters are handled + * like normal clients. */ +diff --git a/tests/unit/auth.tcl b/tests/unit/auth.tcl +index 26d125579..24b386228 100644 +--- a/tests/unit/auth.tcl ++++ b/tests/unit/auth.tcl +@@ -45,6 +45,24 @@ start_server {tags {"auth external:skip"} overrides {requirepass foobar}} { + assert_match {*unauthenticated bulk length*} $e + $rr close + } ++ ++ test {For unauthenticated clients output buffer is limited} { ++ set rr [redis [srv "host"] [srv "port"] 1 $::tls] ++ $rr SET x 5 ++ catch {[$rr read]} e ++ assert_match {*NOAUTH Authentication required*} $e ++ ++ # Fill the output buffer in a loop without reading it and make ++ # sure the client disconnected. ++ # Considering the socket eat some of the replies, we are testing ++ # that such client can't consume more than few MB's. ++ catch { ++ for {set j 0} {$j < 1000000} {incr j} { ++ $rr SET x 5 ++ } ++ } e ++ assert_match {I/O error reading reply} $e ++ } + } + + start_server {tags {"auth_binary_password external:skip"}} { +-- +2.30.2 + diff -Nru redis-7.0.15/debian/patches/series redis-7.0.15/debian/patches/series --- redis-7.0.15/debian/patches/series 2025-01-18 22:28:16.000000000 +0000 +++ redis-7.0.15/debian/patches/series 2025-05-09 16:15:07.000000000 +0000 @@ -6,3 +6,4 @@ 0001-Apply-security-fixes-for-CVEs-1113.patch 0001-Fix-LUA-garbage-collector-CVE-2024-46981-1513.patch 0002-Fix-Read-Write-key-pattern-selector-CVE-2024-51741-1.patch +0001-Limiting-output-buffer-for-unauthenticated-client-CV.patch