git: 558426ed19f6 - main - databases/keydb: Merge CVE patches from redis upstream
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 06 Oct 2025 22:33:51 UTC
The branch main has been updated by zi:
URL: https://cgit.FreeBSD.org/ports/commit/?id=558426ed19f687036d313fe5f5f75f7292f1a58e
commit 558426ed19f687036d313fe5f5f75f7292f1a58e
Author: Ryan Steinmetz <zi@FreeBSD.org>
AuthorDate: 2025-10-06 22:33:14 +0000
Commit: Ryan Steinmetz <zi@FreeBSD.org>
CommitDate: 2025-10-06 22:33:14 +0000
databases/keydb: Merge CVE patches from redis upstream
Bump PORTREVISION
---
databases/keydb/Makefile | 2 +-
databases/keydb/files/patch-CVE-2024-46981 | 10 ++++
databases/keydb/files/patch-CVE-2025-46817 | 86 ++++++++++++++++++++++++++++++
databases/keydb/files/patch-CVE-2025-49844 | 23 ++++++++
4 files changed, 120 insertions(+), 1 deletion(-)
diff --git a/databases/keydb/Makefile b/databases/keydb/Makefile
index dc6d600eef55..849a80598480 100644
--- a/databases/keydb/Makefile
+++ b/databases/keydb/Makefile
@@ -1,7 +1,7 @@
PORTNAME= keydb
DISTVERSIONPREFIX= v
DISTVERSION= 6.3.4
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= databases
MAINTAINER= zi@FreeBSD.org
diff --git a/databases/keydb/files/patch-CVE-2024-46981 b/databases/keydb/files/patch-CVE-2024-46981
new file mode 100644
index 000000000000..867706e13e1f
--- /dev/null
+++ b/databases/keydb/files/patch-CVE-2024-46981
@@ -0,0 +1,10 @@
+--- src/scripting.cpp.orig 2025-10-06 22:03:52 UTC
++++ src/scripting.cpp
+@@ -1330,6 +1330,7 @@ void scriptingRelease(int async) {
+ else
+ dictRelease(g_pserver->lua_scripts);
+ g_pserver->lua_scripts_mem = 0;
++ lua_gc(g_pserver->lua, LUA_GCCOLLECT, 0);
+ lua_close(g_pserver->lua);
+ }
+
diff --git a/databases/keydb/files/patch-CVE-2025-46817 b/databases/keydb/files/patch-CVE-2025-46817
new file mode 100644
index 000000000000..56ae3ec6378b
--- /dev/null
+++ b/databases/keydb/files/patch-CVE-2025-46817
@@ -0,0 +1,86 @@
+diff --git a/deps/lua/src/lbaselib.c b/deps/lua/src/lbaselib.c
+index 2ab550bd48d..26172d15b40 100644
+--- deps/lua/src/lbaselib.c
++++ deps/lua/src/lbaselib.c
+@@ -340,13 +340,14 @@ static int luaB_assert (lua_State *L) {
+
+
+ static int luaB_unpack (lua_State *L) {
+- int i, e, n;
++ int i, e;
++ unsigned int n;
+ luaL_checktype(L, 1, LUA_TTABLE);
+ i = luaL_optint(L, 2, 1);
+ e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1));
+ if (i > e) return 0; /* empty range */
+- n = e - i + 1; /* number of elements */
+- if (n <= 0 || !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */
++ n = (unsigned int)e - (unsigned int)i; /* number of elements minus 1 */
++ if (n >= INT_MAX || !lua_checkstack(L, ++n))
+ return luaL_error(L, "too many results to unpack");
+ lua_rawgeti(L, 1, i); /* push arg[i] (avoiding overflow problems) */
+ while (i++ < e) /* push arg[i + 1...e] */
+diff --git a/deps/lua/src/ltable.c b/deps/lua/src/ltable.c
+index f75fe19fe39..55575a8ace9 100644
+--- deps/lua/src/ltable.c
++++ deps/lua/src/ltable.c
+@@ -434,8 +434,7 @@ static TValue *newkey (lua_State *L, Table *t, const TValue *key) {
+ ** search function for integers
+ */
+ const TValue *luaH_getnum (Table *t, int key) {
+- /* (1 <= key && key <= t->sizearray) */
+- if (cast(unsigned int, key-1) < cast(unsigned int, t->sizearray))
++ if (1 <= key && key <= t->sizearray)
+ return &t->array[key-1];
+ else {
+ lua_Number nk = cast_num(key);
+diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
+index 333cc2692de..d45c63ceec3 100644
+--- tests/unit/scripting.tcl
++++ tests/unit/scripting.tcl
+@@ -315,6 +315,45 @@ start_server {tags {"scripting"}} {
+ set e
+ } {*against a key*}
+
++ test {EVAL - Test table unpack with invalid indexes} {
++ catch {run_script { return {unpack({1,2,3}, -2, 2147483647)} } 0} e
++ assert_match {*too many results to unpack*} $e
++ catch {run_script { return {unpack({1,2,3}, 0, 2147483647)} } 0} e
++ assert_match {*too many results to unpack*} $e
++ catch {run_script { return {unpack({1,2,3}, -2147483648, -2)} } 0} e
++ assert_match {*too many results to unpack*} $e
++ set res [run_script { return {unpack({1,2,3}, -1, -2)} } 0]
++ assert_match {} $res
++ set res [run_script { return {unpack({1,2,3}, 1, -1)} } 0]
++ assert_match {} $res
++
++ # unpack with range -1 to 5, verify nil indexes
++ set res [run_script {
++ local function unpack_to_list(t, i, j)
++ local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)}
++ for i = 1, n do v[i] = v[i] or '_NIL_' end
++ v.n = n
++ return v
++ end
++
++ return unpack_to_list({1,2,3}, -1, 5)
++ } 0]
++ assert_match {_NIL_ _NIL_ 1 2 3 _NIL_ _NIL_} $res
++
++ # unpack with negative range, verify nil indexes
++ set res [run_script {
++ local function unpack_to_list(t, i, j)
++ local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)}
++ for i = 1, n do v[i] = v[i] or '_NIL_' end
++ v.n = n
++ return v
++ end
++
++ return unpack_to_list({1,2,3}, -2147483648, -2147483646)
++ } 0]
++ assert_match {_NIL_ _NIL_ _NIL_} $res
++ } {}
++
+ test {EVAL - JSON numeric decoding} {
+ # We must return the table as a string because otherwise
+ # Redis converts floats to ints and we get 0 and 1023 instead
diff --git a/databases/keydb/files/patch-CVE-2025-49844 b/databases/keydb/files/patch-CVE-2025-49844
new file mode 100644
index 000000000000..d17aa3285453
--- /dev/null
+++ b/databases/keydb/files/patch-CVE-2025-49844
@@ -0,0 +1,23 @@
+diff --git a/deps/lua/src/lparser.c b/deps/lua/src/lparser.c
+index dda7488dcad..ee7d90c90d7 100644
+--- deps/lua/src/lparser.c
++++ deps/lua/src/lparser.c
+@@ -384,13 +384,17 @@ Proto *luaY_parser (lua_State *L, ZIO *z, Mbuffer *buff, const char *name) {
+ struct LexState lexstate;
+ struct FuncState funcstate;
+ lexstate.buff = buff;
+- luaX_setinput(L, &lexstate, z, luaS_new(L, name));
++ TString *tname = luaS_new(L, name);
++ setsvalue2s(L, L->top, tname);
++ incr_top(L);
++ luaX_setinput(L, &lexstate, z, tname);
+ open_func(&lexstate, &funcstate);
+ funcstate.f->is_vararg = VARARG_ISVARARG; /* main func. is always vararg */
+ luaX_next(&lexstate); /* read first token */
+ chunk(&lexstate);
+ check(&lexstate, TK_EOS);
+ close_func(&lexstate);
++ --L->top;
+ lua_assert(funcstate.prev == NULL);
+ lua_assert(funcstate.f->nups == 0);
+ lua_assert(lexstate.fs == NULL);