package/hiredis: security bump to version 1.0.2

Fix CVE-2021-32765: Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. https://github.com/redis/hiredis/blob/v1.0.2/CHANGELOG.md Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 9e092ba253) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-11-23 21:43:30 +08:00 · 2021-10-18 18:16:28 +02:00 · 2021-10-18 18:16:28 +02:00 · bff6880553
commit bff6880553
parent 68a2171ffc
2 changed files with 2 additions and 2 deletions
--- a/package/hiredis/hiredis.hash
+++ b/package/hiredis/hiredis.hash
@ -1,3 +1,3 @@
 # Locally computed:
-sha256  2a0b5fe5119ec973a0c1966bfc4bd7ed39dbce1cb6d749064af9121fe971936f  hiredis-1.0.0.tar.gz
+sha256  e0ab696e2f07deb4252dda45b703d09854e53b9703c7d52182ce5a22616c3819  hiredis-1.0.2.tar.gz
 sha256  dca05ce8fc87a8261783b4aed0deef8becc9350b6aa770bc714d0c1833b896eb  COPYING
--- a/package/hiredis/hiredis.mk
+++ b/package/hiredis/hiredis.mk
@ -5,7 +5,7 @@
 ################################################################################

 HIREDIS_VERSION_MAJOR = 1.0
-HIREDIS_VERSION = $(HIREDIS_VERSION_MAJOR).0
+HIREDIS_VERSION = $(HIREDIS_VERSION_MAJOR).2
 HIREDIS_SITE = $(call github,redis,hiredis,v$(HIREDIS_VERSION))
 HIREDIS_LICENSE = BSD-3-Clause
 HIREDIS_LICENSE_FILES = COPYING