From 567c849b4cb229349de5bae3c80725a2d6dcb164 Mon Sep 17 00:00:00 2001 From: Florian Festi Date: Tue, 26 Apr 2022 12:24:19 +0200 Subject: [PATCH] Apply upstream patch for CVE-2022-28805 Resolves: #2074542 --- lua-5.4-CVE-2022-28805.patch | 22 ++++++++++++++++++++++ lua.spec | 7 ++++++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 lua-5.4-CVE-2022-28805.patch diff --git a/lua-5.4-CVE-2022-28805.patch b/lua-5.4-CVE-2022-28805.patch new file mode 100644 index 0000000..c9e36c9 --- /dev/null +++ b/lua-5.4-CVE-2022-28805.patch @@ -0,0 +1,22 @@ +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is + +--- + lparser.c | 1 + + testes/attrib.lua | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/lparser.c b/lparser.c +index 3abe3d751..a5cd55257 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) { + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(&key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } diff --git a/lua.spec b/lua.spec index f7eaff7..33a23e6 100644 --- a/lua.spec +++ b/lua.spec @@ -14,7 +14,7 @@ Name: lua Version: %{major_version}.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Powerful light-weight programming language License: MIT URL: http://www.lua.org/ @@ -39,6 +39,7 @@ Patch6: %{name}-5.3.5-luac-shared-link-fix.patch # https://www.lua.org/bugs.html Patch18: %{name}-5.3.5-CVE-2020-24370.patch Patch19: %{name}-5.4.2-CVE-2022-33099.patch +Patch20: %{name}-5.4-CVE-2022-28805.patch BuildRequires: automake autoconf libtool readline-devel ncurses-devel BuildRequires: make @@ -94,6 +95,7 @@ mv src/luaconf.h src/luaconf.h.template.in %patch3 -p1 -z .configure-linux %patch4 -p1 -z .configure-compat-all %patch19 -p1 -b .CVE-2022-33099 +%patch20 -p1 -b .CVE-2022-28805 # Put proper version in configure.ac, patch0 hardcodes 5.3.0 sed -i 's|5.3.0|%{version}|g' configure.ac autoreconf -ifv @@ -211,6 +213,9 @@ popd %{_libdir}/*.a %changelog +* Fri Feb 03 2023 Florian Festi - 5.4.4-3 +- Apply upstream patch for CVE-2022-28805 + * Fri Feb 03 2023 Florian Festi - 5.4.4-2 - Resolves CVE-2021-43519