diff --git a/databases/redis/Makefile b/databases/redis/Makefile index 669caab2d43..79be9cc04bc 100644 --- a/databases/redis/Makefile +++ b/databases/redis/Makefile @@ -1,7 +1,8 @@ -# $OpenBSD: Makefile,v 1.42 2012/11/23 08:29:42 dcoppa Exp $ +# $OpenBSD: Makefile,v 1.43 2012/11/26 15:24:13 dcoppa Exp $ COMMENT = persistent key-value database DISTNAME = redis-2.6.5 +REVISION = 0 CATEGORIES = databases HOMEPAGE = http://redis.io/ diff --git a/databases/redis/patches/patch-redis_conf b/databases/redis/patches/patch-redis_conf index c6d3b48a81a..c03be9b5f2e 100644 --- a/databases/redis/patches/patch-redis_conf +++ b/databases/redis/patches/patch-redis_conf @@ -1,4 +1,4 @@ -$OpenBSD: patch-redis_conf,v 1.5 2012/10/23 10:41:23 dcoppa Exp $ +$OpenBSD: patch-redis_conf,v 1.6 2012/11/26 15:24:13 dcoppa Exp $ --- redis.conf.orig Mon Oct 22 23:27:18 2012 +++ redis.conf Tue Oct 23 10:44:49 2012 @@ -13,12 +13,13 @@ @@ -39,7 +39,7 @@ $OpenBSD: patch-redis_conf,v 1.5 2012/10/23 10:41:23 dcoppa Exp $ # To enable logging to the system logger, just set 'syslog-enabled' to yes, # and optionally update the other syslog parameters to suit your needs. -# syslog-enabled no -+syslog-enabled no ++syslog-enabled yes # Specify the syslog identity. -# syslog-ident redis diff --git a/databases/redis/patches/patch-src_scripting_c b/databases/redis/patches/patch-src_scripting_c new file mode 100644 index 00000000000..0d5283be152 --- /dev/null +++ b/databases/redis/patches/patch-src_scripting_c @@ -0,0 +1,17 @@ +$OpenBSD: patch-src_scripting_c,v 1.1 2012/11/26 15:24:13 dcoppa Exp $ + +Remove dofile() from Redis Lua scripting, because it allows an +attacker to enumerate filesystem contents. See: +http://blog.liftsecurity.io/post/35714931664/filesystem-enumeration-using-redis-and-lua + +--- src/scripting.c.orig Mon Nov 26 16:45:10 2012 ++++ src/scripting.c Mon Nov 26 16:46:01 2012 +@@ -480,6 +480,8 @@ void luaLoadLibraries(lua_State *lua) { + void luaRemoveUnsupportedFunctions(lua_State *lua) { + lua_pushnil(lua); + lua_setglobal(lua,"loadfile"); ++ lua_pushnil(lua); ++ lua_setglobal(lua,"dofile"); + } + + /* This function installs metamethods in the global table _G that prevent