diff --git a/SOURCES/lua-5.4.2-CVE-2022-33099.patch b/SOURCES/lua-5.4.2-CVE-2022-33099.patch new file mode 100644 index 0000000..1a2ba97 --- /dev/null +++ b/SOURCES/lua-5.4.2-CVE-2022-33099.patch @@ -0,0 +1,51 @@ +diff -up lua-5.4.2/src/ldebug.c.orig lua-5.4.2/src/ldebug.c +--- lua-5.4.2/src/ldebug.c.orig 2020-11-13 16:32:00.000000000 +0100 ++++ lua-5.4.2/src/ldebug.c 2022-10-21 14:35:02.200941813 +0200 +@@ -772,8 +772,11 @@ l_noret luaG_runerror (lua_State *L, con + va_start(argp, fmt); + msg = luaO_pushvfstring(L, fmt, argp); /* format message */ + va_end(argp); +- if (isLua(ci)) /* if Lua function, add source:line information */ ++ if (isLua(ci)) { /* if Lua function, add source:line information */ + luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci)); ++ setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */ ++ L->top--; ++ } + luaG_errormsg(L); + } + +diff -up lua-5.4.2/src/lvm.c.orig lua-5.4.2/src/lvm.c +--- lua-5.4.2/src/lvm.c.orig 2020-11-13 16:32:02.000000000 +0100 ++++ lua-5.4.2/src/lvm.c 2022-10-21 14:35:31.713755890 +0200 +@@ -641,7 +641,7 @@ void luaV_concat (lua_State *L, int tota + int n = 2; /* number of elements handled in this pass (at least 2) */ + if (!(ttisstring(s2v(top - 2)) || cvt2str(s2v(top - 2))) || + !tostring(L, s2v(top - 1))) +- luaT_tryconcatTM(L); ++ luaT_tryconcatTM(L); /* may invalidate 'top' */ + else if (isemptystr(s2v(top - 1))) /* second operand is empty? */ + cast_void(tostring(L, s2v(top - 2))); /* result is first operand */ + else if (isemptystr(s2v(top - 2))) { /* first operand is empty string? */ +@@ -654,8 +654,10 @@ void luaV_concat (lua_State *L, int tota + /* collect total length and number of strings */ + for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { + size_t l = vslen(s2v(top - n - 1)); +- if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) ++ if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { ++ L->top = top - total; /* pop strings to avoid wasting stack */ + luaG_runerror(L, "string length overflow"); ++ } + tl += l; + } + if (tl <= LUAI_MAXSHORTLEN) { /* is result a short string? */ +@@ -669,8 +671,8 @@ void luaV_concat (lua_State *L, int tota + } + setsvalue2s(L, top - n, ts); /* create result */ + } +- total -= n-1; /* got 'n' strings to create 1 new */ +- L->top -= n-1; /* popped 'n' strings and pushed one */ ++ total -= n - 1; /* got 'n' strings to create one new */ ++ L->top -= n - 1; /* popped 'n' strings and pushed one */ + } while (total > 1); /* repeat until only 1 result left */ + } + diff --git a/SPECS/lua.spec b/SPECS/lua.spec index b224523..574795d 100644 --- a/SPECS/lua.spec +++ b/SPECS/lua.spec @@ -14,7 +14,7 @@ Name: lua Version: %{major_version}.2 -Release: 4%{?dist} +Release: 4%{?dist}.3 Summary: Powerful light-weight programming language License: MIT URL: http://www.lua.org/ @@ -38,6 +38,7 @@ Patch6: %{name}-5.3.5-luac-shared-link-fix.patch %endif # https://www.lua.org/bugs.html Patch18: %{name}-5.3.5-CVE-2020-24370.patch +Patch19: %{name}-5.4.2-CVE-2022-33099.patch BuildRequires: automake autoconf libtool readline-devel ncurses-devel BuildRequires: make @@ -92,6 +93,7 @@ mv src/luaconf.h src/luaconf.h.template.in #%% patch2 -p1 -z .luac-shared %patch3 -p1 -z .configure-linux %patch4 -p1 -z .configure-compat-all +%patch19 -p1 -b .CVE-2022-33099 # Put proper version in configure.ac, patch0 hardcodes 5.3.0 sed -i 's|5.3.0|%{version}|g' configure.ac autoreconf -ifv @@ -209,6 +211,15 @@ popd %{_libdir}/*.a %changelog +* Fri Oct 21 2022 Michal Domonkos - 5.4.2-4.3 +- Fix up CVE-2022-33099 patch + +* Mon Oct 17 2022 Michal Domonkos - 5.4.2-4.2 +- Enable gating + +* Mon Oct 17 2022 Michal Domonkos - 5.4.2-4.1 +- apply upstream fix for CVE-2022-33099 + * Mon Aug 09 2021 Mohan Boddu - 5.4.2-4 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688