Fix CVE-2022-33099

Resolves: #2132326
2022-10-17 15:25:20 +02:00 · 2022-10-17 15:25:20 +02:00 · 66603e5b6e
parent f06d8a763f
commit 66603e5b6e
2 changed files with 46 additions and 1 deletions
--- a/lua-5.4.2-CVE-2022-33099.patch
+++ b/lua-5.4.2-CVE-2022-33099.patch
@ -0,0 +1,40 @@
+diff -up lua-5.4.2/src/ldebug.c.xyz lua-5.4.2/src/ldebug.c
+--- lua-5.4.2/src/ldebug.c.xyz	2022-10-11 16:02:25.015408150 +0300
+++ lua-5.4.2/src/ldebug.c	2022-10-11 16:03:10.455804559 +0300
+@@ -772,8 +772,11 @@ l_noret luaG_runerror (lua_State *L, con
+   va_start(argp, fmt);
+   msg = luaO_pushvfstring(L, fmt, argp);  /* format message */
+   va_end(argp);
+-  if (isLua(ci))  /* if Lua function, add source:line information */
+  if (isLua(ci)) {  /* if Lua function, add source:line information */
+     luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci));
+    setobjs2s(L, L->top - 2, L->top - 1);  /* remove 'msg' from the stack */
+    L->top--;
+  }
+   luaG_errormsg(L);
+ }
+ 
+diff -up lua-5.4.2/src/lvm.c.xyz lua-5.4.2/src/lvm.c
+--- lua-5.4.2/src/lvm.c.xyz	2022-10-11 16:02:32.614474444 +0300
+++ lua-5.4.2/src/lvm.c	2022-10-11 16:04:32.063516541 +0300
+@@ -654,8 +654,10 @@ void luaV_concat (lua_State *L, int tota
+       /* collect total length and number of strings */
+       for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
+         size_t l = vslen(s2v(top - n - 1));
+-        if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl))
+        if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
+          L->top = top - total;  /* pop strings to avoid wasting stack */
+           luaG_runerror(L, "string length overflow");
+        }
+         tl += l;
+       }
+       if (tl <= LUAI_MAXSHORTLEN) {  /* is result a short string? */
+@@ -670,7 +672,7 @@ void luaV_concat (lua_State *L, int tota
+       setsvalue2s(L, top - n, ts);  /* create result */
+     }
+     total -= n-1;  /* got 'n' strings to create 1 new */
+-    L->top -= n-1;  /* popped 'n' strings and pushed one */
+    L->top = top - (n - 1);  /* popped 'n' strings and pushed one */
+   } while (total > 1);  /* repeat until only 1 result left */
+ }
+ 
--- a/lua.spec
+++ b/lua.spec
@ -14,7 +14,7 @@

 Name:           lua
 Version:        %{major_version}.2
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Powerful light-weight programming language
 License:        MIT
 URL:            http://www.lua.org/
@ -38,6 +38,7 @@ Patch6:		%{name}-5.3.5-luac-shared-link-fix.patch
 %endif
 # https://www.lua.org/bugs.html
 Patch18:	%{name}-5.3.5-CVE-2020-24370.patch
+Patch19:	%{name}-5.4.2-CVE-2022-33099.patch

 BuildRequires:  automake autoconf libtool readline-devel ncurses-devel
 BuildRequires: make
@ -92,6 +93,7 @@ mv src/luaconf.h src/luaconf.h.template.in
 #%% patch2 -p1 -z .luac-shared
 %patch3 -p1 -z .configure-linux
 %patch4 -p1 -z .configure-compat-all
+%patch19 -p1 -b .CVE-2022-33099
 # Put proper version in configure.ac, patch0 hardcodes 5.3.0
 sed -i 's|5.3.0|%{version}|g' configure.ac
 autoreconf -ifv
@ -209,6 +211,9 @@ popd
 %{_libdir}/*.a

 %changelog
+* Mon Oct 17 2022 Michal Domonkos <mdomonko@redhat.com> - 5.4.2-5
+- apply upstream fix for CVE-2022-33099
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 5.4.2-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688