#1107212 redict: CVE-2025-49112

Package:
src:redict
Source:
src:redict
Submitter:
Salvatore Bonaccorso
Date:
2025-08-03 08:35:04 UTC
Severity:
normal
Tags:
#1107212#5
Date:
2025-06-03 05:43:57 UTC
From:
To:
Source: valkey
Version: 8.1.1+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2 -3
Control: reassign -2 src:redis 5:8.0.0-2
Control: retitle -2 redis: CVE-2025-49112
Control: reassign -3 src:redict 7.3.2+ds-1
Control: retitle -3 redict: CVE-2025-49112
Control: forwarded -1 https://github.com/valkey-io/valkey/pull/2101


Hi,

The following vulnerability was published for valkey (and same code in
redict, redis seems present, cloning the bug for further evaluation in
the respective sources).

CVE-2025-49112[0]:
| setDeferredReply in networking.c in Valkey through 8.1.1 has an
| integer underflow for prev->size - prev->used.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-49112
https://www.cve.org/CVERecord?id=CVE-2025-49112
[1] https://github.com/valkey-io/valkey/pull/2101
[2] https://github.com/valkey-io/valkey/commit/374718b2a365ca69f715d542709b7d71540b1387

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1107212#20
Date:
2025-08-03 08:34:41 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
redict, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1107212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Maytham Alsudany <maytham@debian.org> (supplier of updated redict package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 03 Aug 2025 14:22:26 +0800
Source: redict
Architecture: source
Version: 7.3.5+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Redict Maintainers <team+redict@tracker.debian.org>
Changed-By: Maytham Alsudany <maytham@debian.org>
Closes: 1104011 1106823 1107212 1108977 1108980
Changes:
 redict (7.3.5+ds-1) unstable; urgency=medium
 .
   * New upstream version 7.3.5
     * Contains fix for CVE-2025-21605 (Closes: #1104011)
     * Contains fix for CVE-2025-48367 (Closes: #1108980)
     * Contains fix for CVE-2025-32023 (Closes: #1108977)
   * Add patch to fix CVE-2025-27151 (Closes: #1106823)
   * Add patch to fix CVE-2025-49112 (Closes: #1107212)
Checksums-Sha1:
 6138341b7d2c6ff45b17abe7dcef397900d2501e 2384 redict_7.3.5+ds-1.dsc
 65fae549275ac2ab0cb71bc16b02d486a30b4463 1743040 redict_7.3.5+ds.orig.tar.xz
 034a16a8c6c327203e8aafc3982c52c1a0d885a7 14512 redict_7.3.5+ds-1.debian.tar.xz
 10112f15d248321d3ae962945119c216de27c7db 7666 redict_7.3.5+ds-1_amd64.buildinfo
Checksums-Sha256:
 eebcc80f01622bd42431bbc1359746b433e06b44f243bf2665cbd7ac8006ed1c 2384 redict_7.3.5+ds-1.dsc
 b47cac4b936de4bf14cb8109c5fa2c2a1a994d9c4a4ab7555989579521f0dbbb 1743040 redict_7.3.5+ds.orig.tar.xz
 d426032c5ab28d9db8713369fad2858d663db890f203866782f14a5378289435 14512 redict_7.3.5+ds-1.debian.tar.xz
 b2b04db1aea22db4ceedfba8179384de37b51e3e1e2ca9d8a59c099b1dfd5573 7666 redict_7.3.5+ds-1_amd64.buildinfo
Files:
 60efd46d4ed94ae90752e1e1c1f92ee0 2384 database optional redict_7.3.5+ds-1.dsc
 dbbda87619b1405560247ca3d1540b6c 1743040 database optional redict_7.3.5+ds.orig.tar.xz
 83abca8241cc6af512410e8131244422 14512 database optional redict_7.3.5+ds-1.debian.tar.xz
 477e973549588b0462346f34fa02472d 7666 database optional redict_7.3.5+ds-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEESl/RzRFQh8wD3DXB1ZeJcgbF8H8FAmiPDz8ACgkQ1ZeJcgbF
8H+J4w/9EpO9A75Sxcmu4//Q9McHsi2xALLpSSjIMqF8QwLauDV3L9Ji9A7vNLay
viP7f6B9P7DiBidZoB4S8oxwbGDlQ8P9qH5Blm0JySqenmjwqOA5pwwG92HC+EVT
lDhbhuqVpBWtVyVwnG1USC66lj2gPG5b9yWNq+AxZWv4ZjNFV5XrCB9ytB4Xokx7
lspOPAAeJraUFNpdXjnD2WqE/AlDZQcYuWitGamCY0mk9vempacxmDsjONAilOrs
b4qUjtNZ/WY7/Ix4ll4Blm/xq1Gcof89NxJppmcUqXWl1y6clxPEV9qSjsm5LBx9
o7TriytZZMylgKfU4DofmYaIaijITHOkFmK2aVwVOxeKSEhG/FcdLKGDrbb2WPr+
N6W931eRvjn2QBZK6vlHa/hoA/s94M4vDHlQVMNCITagtF9KgK5aH9MzcBLQFjgN
2MHfOxpR8yMoFkQMPi8/T6x2Ck2ngUNtKFNitL2NsUpvP0RVb/Ur06xyB51q4U34
u/G64LStSeImV/fiGKx31vQNQdxkNgXKnWDH2Gu0+iRMRBF5pyvZK+tEh690kdJS
IHm606y80+qydAaR254GCm7F2eQTfDPV4c6aUJBj9gQZclB7QHJh67ZEd7YgrQxp
49LTZv/E3pV2i66PnxhkDUstvneU33HK03A7OIlUiaGmQAIUfLk=
=fg9O
-----END PGP SIGNATURE-----