Dear Maintainer,

i am currently using redis with rspamd, which uses lua scripts in redis which rely on cjson.
For some reason cjson isn't available when using redis on my machine.

E.g. running

  EVAL 'cjson.decode("{}")' 0

in my redis-cli results in

  (error) ERR Error running script (call to f_358b937508335722d5ffc098351582c0fe28e64e): @enable_strict_lua:15: user_script:1: Script attempted to access nonexistent global variable 'cjson'

Dependencies lua-bitop and lua-cjson are installed in versions 1.0.2-5 and 2.1.0+dfsg-2.1 respectively.
Also liblua5.4-0 is installed in version 5.4.4-2

Please advise when I could any additional information to help resolve this issue.

notfound 1012658 6.2.5-3
found 1012658 5:7.0.0-1
thanks

Hi Fabian,

Interestingly, I couldn't reproduce this with 6.2.5-3 so I thought I'd
be a little stuck, but I can reproduce this with 7.0.0-1 which is now
in experimental.

(This is the version I plan to upload to unstable soon).


Regards,

Hi Chris,

thanks for your support.

Just to let you know: I just compiled 6.2.6-1 from source and currently it works for me too.

Regards,

Fabian

Hi Fabian,

I'm almost certain that this is related to the fix for #1005787 which
is not present in that "old" version. I'm CCing in Reginaldo Silva
(the original discoverer of that issue), and hope he can provide some
easy insight here.

Reginaldo, feel free to see the entire bug history at:

https://bugs.debian.org/1012658


Regards,

Chris Lamb wrote:
using the bundled version of Lua over the Debian-provided one. (This
is needed due to it having additional security features needed to
address CVE-2022-24735 and CVE-2022-24736.)

This means it is not finding the Debian version of
liblua5.1-cjson.so.0 or liblua5.1-bitop.so.0 under /lib. It works with
the Lua modules that we don't try and use the Debian version of, for
example:

  $ redis-cli EVAL "cmsgpack.pack({})" 0
  (nil)

I suspect there is some kind of require/import path that needs to be
adjusted for the bundled Lua (which is preconfigured to point under
/lib for Debian's shipped Lua). Or, we might have to revert entirely to
using the bundled cjson and bitop modules. :(


Regards,

Hi Chris,

I just compiled 6.0.16-4 from the current sid release, while reverting
https://salsa.debian.org/lamby/pkg-redis/-/commit/601dc9780d03d6cdbc8a834745259e84e1ce79f3

This resolves the problem, so your theory definitely seems right.

Kind regards,
Fabian

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1012658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 14 Jun 2022 15:41:53 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.1-2
Distribution: experimental
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1011187 1012658
Changes:
 redis (5:7.0.1-2) experimental; urgency=medium
 .
   * Drop support (in patches, etc.) for using the systemwide hiredis and Lua,
     reverting to using the built-in cjson (etc.). (Closes: #1012658)
   * Add an internal timeout for the cluster tests to prevent FTBFS.
     (Closes: #1011187)
   * Drop a duplicate comment in debian/rules.
Checksums-Sha1:
 ee2957bb690a79e450977235b819c9731330d602 2266 redis_7.0.1-2.dsc
 c98c9047296d32adb097592cba2813b2e3d3beaf 27004 redis_7.0.1-2.debian.tar.xz
 e07adf4b6025add9fd0963ac4d1a28c209aba6dd 7391 redis_7.0.1-2_amd64.buildinfo
Checksums-Sha256:
 b6845e0e4e7003100afb24552bb8534dc59aa493df0c08d3f23aa7c19155dff4 2266 redis_7.0.1-2.dsc
 f8f72b6faa66476fa237998b537222121ef45e3baa0c8c67e2c4c80ecfaa6fcd 27004 redis_7.0.1-2.debian.tar.xz
 15df11ea4fccd30d3095fe9faf5513b201c1e0df0a72c57d707b828b00061f59 7391 redis_7.0.1-2_amd64.buildinfo
Files:
 94572d0ba307c8571ade5a468f89dbeb 2266 database optional redis_7.0.1-2.dsc
 e8622fda1fc6c0951e27abd1ebbc5666 27004 database optional redis_7.0.1-2.debian.tar.xz
 25d94da29fe4354456c7ce63f56b7314 7391 database optional redis_7.0.1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmKonvwACgkQHpU+J9Qx
HlhFnQ//dkGFafHILTYCgoV1YH+3SH5l2OORIdx/67p4slZG/6yjJR+So7qDCPVM
/AtJUZKo8L6S72t+Fiw2qWJhyFDJep3o7Y/a7fpf+s9sfOk5bmNFvhaYbewumvQl
NxRlQ1ip+HOVOTkLCzZFcztVX1ewpUvmT/G2zdroC3i2r2+hgnMPZx6OEYDI6MjY
ZvbIWxZLmAoNJVFsHVg6DuJwHYtEtEqOt4t1UYCvJugIu5RQINrgis107cp2o2Nx
krSGQ8QKhHNlxKnPjj/z41/RnBpSzBnjrWNpfk6nwRbdPTiSkEwa+dsB4PYlgPcx
yHzoWPZ7bBVTWtYqzULO59O9x6Xhsn0lEiwqsFuQbrTHScXhdAnQb5+VJoIg+vOL
t4GCuZWVVwIYir9Ks8c5gguZYh690jMDJgWgV78FRS6RqkuxObKSPZ7yUPM7UI5F
r3BE4g1do7WyS+tdHl3rgRjJVfssaugFRHH8S1IqqrSxy9WqSD3KWpFGgiNAm13E
VIfZfF6ZYxZN7Xzaj5sE9SnUlyxwo2xc3FeBZz8fdwoGT037WPKgM3+4khsul8KE
Pz9+678AenOmRJ722KYU4N9OnQN+6DPT5Seskp/GWXxu+4sGZuqm2gvY+73hea3P
jB6I3ljnIN/aLG9Gw9GssutIdnQRCi4HKQnHibUJQ0SrGzlrTSw=
=aTh9
-----END PGP SIGNATURE-----

No problem. Can you try 7.0.1-2 in experimental? :)  I'm planning on
putting this version in Debian sid/unstable soon anyway.


Regards,

Hi,

7.0.1-2 unfortunately doesn't work at all for me.

--- redis-server.log

355396:M 15 Jun 2022 09:43:50.504 # Server initialized

=== REDIS BUG REPORT START: Cut & paste starting from here ===
355396:M 15 Jun 2022 09:43:50.504 # Redis 7.0.1 crashed by signal: 11,
si_code: 1
355396:M 15 Jun 2022 09:43:50.504 # Accessing address: 0x56c44
355396:M 15 Jun 2022 09:43:50.504 # Crashed running the instruction at:
0x7f62a92c0da6

------ STACK TRACE ------
EIP:
/lib/x86_64-linux-gnu/libc.so.6(+0x99da6)[0x7f62a92c0da6]

Backtrace:
/lib/x86_64-linux-gnu/libpthread.so.0(+0x12200)[0x7f62a9ee8200]
/lib/x86_64-linux-gnu/libc.so.6(+0x99da6)[0x7f62a92c0da6]
/lib/x86_64-linux-gnu/libc.so.6(+0x68618)[0x7f62a928f618]
/lib/x86_64-linux-gnu/libc.so.6(+0x79176)[0x7f62a92a0176]
/usr/bin/redis-server 127.0.0.1:6379(_serverLog+0xd1)[0x55c8ec3162c1]
/usr/bin/redis-server
127.0.0.1:6379(linuxMemoryWarnings+0xff)[0x55c8ec320e7f]
/usr/bin/redis-server 127.0.0.1:6379(main+0x275)[0x55c8ec30d1d5]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xcd)[0x7f62a924a7fd]
/usr/bin/redis-server 127.0.0.1:6379(_start+0x2a)[0x55c8ec30d82a]

Kind regards,
Fabian

Hey Fabian,

Ah, this is actually due to the new hardening features. I've fixed this here:

https://salsa.debian.org/lamby/pkg-redis/commit/80470e3dc0ae56db9c9512c38a1757844443bcfc

... and have uploaded 5:7.0.1-3 to Debian experimental. Can you
test it?


Regards,

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1012658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 17 Jun 2022 10:09:07 +0100
Source: redis
Built-For-Profiles: nocheck
Architecture: source
Version: 5:7.0.1-4
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 977852 981000 982122 983446 988045 989351 1005787 1011187 1012658
Changes:
 redis (5:7.0.1-4) unstable; urgency=medium
 .
   * Upload 7.x branch to unstable.
   * Update gbp.conf.
 .
 redis (5:7.0.1-3) experimental; urgency=medium
 .
   * Fix crash when systemd's ProcSubset=pid. /proc/sys/vm/overcommit_memory was
     inaccessible and a log warning message was incorrectly constructed.
   * Add missing CPPFLAGS when building hdr_histogram.
   * Update Lintian overrides:
     - Ignore maintainer-manual-page warnings.
     - Ignore very-long-line-length-in-source-file warnings.
   * Update my entry in debian/copyright.
   * Update and renumber patches.
 .
 redis (5:7.0.1-2) experimental; urgency=medium
 .
   * Drop support (in patches, etc.) for using the systemwide hiredis and Lua,
     reverting to using the built-in cjson (etc.). (Closes: #1012658)
   * Add an internal timeout for the cluster tests to prevent FTBFS.
     (Closes: #1011187)
   * Drop a duplicate comment in debian/rules.
 .
 redis (5:7.0.1-1) experimental; urgency=medium
 .
   * New upstream release.
   * Refresh patches.
 .
 redis (5:7.0.0-1) experimental; urgency=medium
 .
   * New upstream release.
     - Disable, hopefully temporarily, the use of the systemwide Lua due to
       Redis' fork gaining security/hardening features (eg.
       lua_enablereadonlytable).
     - Refresh patches.
 .
 redis (5:7.0~rc3-1) experimental; urgency=medium
 .
   * New upstream release.
     - Refresh patches.
 .
 redis (5:7.0~rc2-2) experimental; urgency=high
 .
   * CVE-2022-0543: Prevent a Debian-specific Lua sandbox escape vulnerability.
 .
     This vulnerability existed because the Lua library in Debian is provided as
     a dynamic library. A "package" variable was automatically populated that
     in turn permitted access to arbitrary Lua functionality. As this extended
     to, for example, the "execute" function from the "os" module, an attacker
     with the ability to execute arbitrary Lua code could potentially execute
     arbitrary shell commands.
 .
     Thanks to Reginaldo Silva <https://www.ubercomp.com> for discovering and
     reporting this issue. (Closes: #1005787)
 .
 redis (5:7.0~rc2-1) experimental; urgency=medium
 .
   * New upstream RC release.
     - Refresh patches.
 .
 redis (5:7.0~rc1-1) experimental; urgency=medium
 .
   * New upstream 7.x release candidate.
   * Refresh patches.
   * Set some DEP-3 forwarded headers.
 .
 redis (5:6.2.6-1) experimental; urgency=medium
 .
   * New upstream security release:
 .
     - CVE-2021-32762: Integer to heap buffer overflow issue in redis-cli and
       redis-sentinel parsing large multi-bulk replies on some older and less
       common platforms.
 .
     - CVE-2021-32687: Integer to heap buffer overflow with intsets, when
       set-max-intset-entries is manually configured to a non-default, very
       large value.
 .
     - CVE-2021-32675: Denial Of Service when processing RESP request payloads
       with a large number of elements on many connections.
 .
     - CVE-2021-32672: Random heap reading issue with Lua Debugger.
 .
     - CVE-2021-32628: Integer to heap buffer overflow handling ziplist-encoded
       data types, when configuring a large, non-default value for
       hash-max-ziplist-entries, hash-max-ziplist-value,
       zset-max-ziplist-entries or zset-max-ziplist-value.
 .
     - CVE-2021-32627: Integer to heap buffer overflow issue with streams, when
       configuring a non-default, large value for proto-max-bulk-len and
       client-query-buffer-limit.
 .
     - CVE-2021-32626: Specially crafted Lua scripts may result with Heap
       buffer overflow.
 .
     - CVE-2021-41099: Integer to heap buffer overflow handling certain string
       commands and network payloads, when proto-max-bulk-len is manually
       configured to a non-default, very large value.
 .
   * Refresh patches.
   * Bump Standards-Version to 4.6.0.
 .
 redis (5:6.2.5-4) experimental; urgency=medium
 .
   * Use /run instead of /var/run for PID and UNIX socket files. Thanks to
     @MichaIng-guest for the patch. (Closes: lamby/pkg-redis!5)
 .
 redis (5:6.2.5-3) experimental; urgency=medium
 .
   * Skip OOM-related tests on incompatible platforms. (Closes: #982122)
 .
 redis (5:6.2.5-2) experimental; urgency=medium
 .
   * Explicitly specify USE_JEMALLOC to override upstream's detection of ARM
     systems. This was affecting reproducibility as the aarch64 kernel flavour
     was using Jemalloc whilst armv7l was not.
   * Increase the verbosity of logging when testing. (Re: #991476)
 .
 redis (5:6.2.5-1) experimental; urgency=medium
 .
   * New upstream security release:
     - CVE-2021-32761: Integer overflow issues with BITFIELD command
       on 32-bit systems.
   * Bump Standards-Version to 4.5.1.
 .
 redis (5:6.2.4-1) experimental; urgency=medium
 .
   * CVE-2021-32625: Fix a vulnerability in the STRALGO LCS command.
     (Closes: #989351)
   * Refresh patches.
 .
 redis (5:6.2.3-1) experimental; urgency=medium
 .
   * New upstream security release:
     - CVE-2021-29477: Vulnerability in the STRALGO LCS command.
     - CVE-2021-29478: Vulnerability in the COPY command for large intsets.
     (Closes: #988045)
   * Refresh patches.
 .
 redis (5:6.2.2-1) experimental; urgency=medium
 .
   * New upstream release.
   * Apply wrap-and-sort -sa.
   * Refresh patches.
 .
 redis (5:6.2.1-1) experimental; urgency=medium
 .
   * New upstream release.
 .
 redis (5:6.2.0-1) experimental; urgency=medium
 .
   * New upstream release, incorporating some security fixes. (Closes: 983446)
   * Refresh patches.
 .
 redis (5:6.2~rc3-1) experimental; urgency=medium
 .
   * New upstream RC release.
     - Refresh patches.
 .
 redis (5:6.2~rc2-2) experimental; urgency=medium
 .
   * Also remove the /etc/redis directory in purge.
   * Allow /etc/redis to be rewritten. Thanks to Yossi Gottlieb for the patch.
     (Closes: #981000)
 .
 redis (5:6.2~rc2-1) experimental; urgency=medium
 .
   * New upstream release.
   * Refresh patches.
 .
 redis (5:6.2~rc1-3) experimental; urgency=medium
 .
   * Specify "--supervised systemd" now that we specify "Type=notify" to prevent
     failure under systemd. Thanks to Michael Prokop for the report.
 .
 redis (5:6.2~rc1-2) experimental; urgency=medium
 .
   [ Michael Prokop ]
   * Enable systemd support by compiling against libsystemd-dev.
     (Closes: #977852)
 .
   [ Chris Lamb ]
   * Use Type=notify to use systemd supervisor when generating our systemd
     service files.
   * Explicitly request systemd support when building the package.
 .
 redis (5:6.2~rc1-1) experimental; urgency=medium
 .
   * New upstream RC release.
     - Update patches.
   * Bump Standards-Version to 4.5.1.
Checksums-Sha1:
 7f7409c42deadaa07d227b2049abaed94a7073de 2266 redis_7.0.1-4.dsc
 c60ad61ab13ab1ed9d2488c416835625deb1c836 27936 redis_7.0.1-4.debian.tar.xz
 7b230149d690c614e46866fd7ac58e980d231cbd 7391 redis_7.0.1-4_amd64.buildinfo
Checksums-Sha256:
 b0376e296ee104a3d5c68ca77c0c800eb271d3a55be80eb2b7dca7e064b0adf3 2266 redis_7.0.1-4.dsc
 99cc0886fd636d462b10d02e84006bcd439528da20493503377a188ce5f23547 27936 redis_7.0.1-4.debian.tar.xz
 9d51799bfcd3d9e9fe7ecba648e4cc91fb65ad08469ff6b7c3fb88138e80344a 7391 redis_7.0.1-4_amd64.buildinfo
Files:
 3641c22a323ea16796841f83fa27046f 2266 database optional redis_7.0.1-4.dsc
 569b43e4b99669b6911c5b4c09bd779b 27936 database optional redis_7.0.1-4.debian.tar.xz
 a592befb1c55f6861764f64bc181a6b5 7391 database optional redis_7.0.1-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmKsRi8ACgkQHpU+J9Qx
HlhnPxAAuqM0zx4Fgs3U6wJXZUgmw4T/Iv1zBgLWJk/tY/pOvQA9jkQcTAxxRiON
gjh2Rq+Be7o5vL2Y/sDGlKwWlUWmCc4jx6pAkvK1xucKvdJ2WujdjsyoEwHTYpPQ
8/Dj8OS863maj++BPiLWSP95IVOTwl4TlioZkqFPgQruefd55qWidfVydbhqg7Hu
Fi4gDj8BlEPl53EXxERjCFJIYuXn7Cv2LUN0MRDKBPGddIKugy15YzAdhm2urngL
GwyKIXIni3xT4Aklw18PUzAkCD2rqbu6MwASaOKuekQDPc6+0Mg4YUegMeOT1zEr
7OW2vfyf8xdm99WnDPIla3sCPDGfxsQD9mwcxZdy8QfoGs0WoAZtjrXsoJ16YDPw
9PayLJ+y0QrEWn13M7vNuYB6SKNVheEm3fq1bHpTZytzXLjc8WdS/cpRwW7mNVZP
s+HPNmnZ1fdUpShjzMc6QamoAkVlLdSfmjlXVQbijHwrmIihv10YBYnDsToTdqnn
8htW6JRaiSsOkR47PJwHMrL6VEEu8uA2iVxiYJs+2XorZ4t1q5U+7VDQsVnahoHj
9geW8d2bl+hN4SI0MZhlzliirDKJpjLPOBig+h3jKS3B+bEp8TrVAfKKcrOw6ZMG
Wd/PohJsT3MuESZnp6TxP2bLxFBc5IaQvYxMuSu+VV0fQ+mmRS4=
=4wjg
-----END PGP SIGNATURE-----

Hi Chris,

I just compiled and tested 7.0.1-4 and it works fine for me 😊

Kind regards,
Fabian