[Buildroot] [PATCH 1/1] package/hiredis: security bump to version 1.0.2

Fabrice Fontaine fontaine.fabrice at gmail.com
Mon Oct 18 16:16:28 UTC 2021


Fix CVE-2021-32765: Hiredis is a minimalistic C client library for the
Redis database. In affected versions Hiredis is vulnurable to integer
overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk`
protocol data. When parsing `multi-bulk` (array-like) replies, hiredis
fails to check if `count * sizeof(redisReply*)` can be represented in
`SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make
this check, it would result in a short allocation and subsequent buffer
overflow.

https://github.com/redis/hiredis/blob/v1.0.2/CHANGELOG.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
---
 package/hiredis/hiredis.hash | 2 +-
 package/hiredis/hiredis.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/hiredis/hiredis.hash b/package/hiredis/hiredis.hash
index fc01d1f60d..a45cf68f99 100644
--- a/package/hiredis/hiredis.hash
+++ b/package/hiredis/hiredis.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  2a0b5fe5119ec973a0c1966bfc4bd7ed39dbce1cb6d749064af9121fe971936f  hiredis-1.0.0.tar.gz
+sha256  e0ab696e2f07deb4252dda45b703d09854e53b9703c7d52182ce5a22616c3819  hiredis-1.0.2.tar.gz
 sha256  dca05ce8fc87a8261783b4aed0deef8becc9350b6aa770bc714d0c1833b896eb  COPYING
diff --git a/package/hiredis/hiredis.mk b/package/hiredis/hiredis.mk
index a166bcc23d..83f0268c2b 100644
--- a/package/hiredis/hiredis.mk
+++ b/package/hiredis/hiredis.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 HIREDIS_VERSION_MAJOR = 1.0
-HIREDIS_VERSION = $(HIREDIS_VERSION_MAJOR).0
+HIREDIS_VERSION = $(HIREDIS_VERSION_MAJOR).2
 HIREDIS_SITE = $(call github,redis,hiredis,v$(HIREDIS_VERSION))
 HIREDIS_LICENSE = BSD-3-Clause
 HIREDIS_LICENSE_FILES = COPYING
-- 
2.33.0



More information about the buildroot mailing list