[Low] Patch valkey for CVE-2025-49112 (#13996)

SumitJenaHCL · web-flow · commit 56d3aa8bfa9d · 2025-06-13T15:29:03.000+05:30
diff --git a/SPECS/valkey/CVE-2025-49112.patch b/SPECS/valkey/CVE-2025-49112.patch
@@ -0,0 +1,26 @@
+From db21a4e55a3afe71923141bcbecbbc74920d5259 Mon Sep 17 00:00:00 2001
+From: SumitJenaHCL <v-sumitjena@microsoft.com>
+Date: Wed, 11 Jun 2025 11:29:35 +0530
+Subject: [PATCH] Patch CVE-2025-49112
+
+Upstream Patch Reference: https://github.com/valkey-io/valkey/commit/374718b2a365ca69f715d542709b7d71540b1387
+---
+ src/networking.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/networking.c b/src/networking.c
+index ab2df89..abb0126 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -842,7 +842,7 @@ void setDeferredReply(client *c, void *node, const char *s, size_t length) {
+      * - It has enough room already allocated
+      * - And not too large (avoid large memmove)
+      * - And the client is not in a pending I/O state */
+-    if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->size - prev->used > 0 &&
++    if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->used < prev->size &&
+         c->io_write_state != CLIENT_PENDING_IO) {
+         size_t len_to_copy = prev->size - prev->used;
+         if (len_to_copy > length) len_to_copy = length;
+-- 
+2.48.1
+
diff --git a/SPECS/valkey/valkey.spec b/SPECS/valkey/valkey.spec
@@ -1,7 +1,7 @@
 Summary:        advanced key-value store
 Name:           valkey
 Version:        8.0.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,7 @@ URL:            https://valkey.io/
 Source0:        https://github.com/valkey-io/valkey/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         valkey-conf.patch
 Patch1:         disable-mem-defrag-tests.patch
+Patch2:         CVE-2025-49112.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  openssl-devel
@@ -84,6 +85,9 @@ exit 0
 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/valkey.conf
 
 %changelog
+* Thu Jun 12 2025 Sumit Jena <v-sumitjena@microsoft.com> - 8.0.3-2
+- Fix CVE-2025-49112
+
 * Mon Apr 28 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 8.0.3-1
 - Auto-upgrade to 8.0.3 - for CVE-2025-21605
 
