[Buildroot] [PATCH 1/1] package/hiredis: security bump to version 1.0.2
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Mon Oct 18 19:18:53 UTC 2021
On Mon, 18 Oct 2021 18:16:28 +0200
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> Fix CVE-2021-32765: Hiredis is a minimalistic C client library for the
> Redis database. In affected versions Hiredis is vulnurable to integer
> overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk`
> protocol data. When parsing `multi-bulk` (array-like) replies, hiredis
> fails to check if `count * sizeof(redisReply*)` can be represented in
> `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make
> this check, it would result in a short allocation and subsequent buffer
> overflow.
>
> https://github.com/redis/hiredis/blob/v1.0.2/CHANGELOG.md
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> package/hiredis/hiredis.hash | 2 +-
> package/hiredis/hiredis.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list