From 66603e5b6e7b2c2100b7beb9bd13e335be687904 Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Mon, 17 Oct 2022 15:25:20 +0200 Subject: [PATCH] Fix CVE-2022-33099 Resolves: #2132326 --- lua-5.4.2-CVE-2022-33099.patch | 40 ++++++++++++++++++++++++++++++++++ lua.spec | 7 +++++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 lua-5.4.2-CVE-2022-33099.patch diff --git a/lua-5.4.2-CVE-2022-33099.patch b/lua-5.4.2-CVE-2022-33099.patch new file mode 100644 index 0000000..af46d51 --- /dev/null +++ b/lua-5.4.2-CVE-2022-33099.patch @@ -0,0 +1,40 @@ +diff -up lua-5.4.2/src/ldebug.c.xyz lua-5.4.2/src/ldebug.c +--- lua-5.4.2/src/ldebug.c.xyz 2022-10-11 16:02:25.015408150 +0300 ++++ lua-5.4.2/src/ldebug.c 2022-10-11 16:03:10.455804559 +0300 +@@ -772,8 +772,11 @@ l_noret luaG_runerror (lua_State *L, con + va_start(argp, fmt); + msg = luaO_pushvfstring(L, fmt, argp); /* format message */ + va_end(argp); +- if (isLua(ci)) /* if Lua function, add source:line information */ ++ if (isLua(ci)) { /* if Lua function, add source:line information */ + luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci)); ++ setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */ ++ L->top--; ++ } + luaG_errormsg(L); + } + +diff -up lua-5.4.2/src/lvm.c.xyz lua-5.4.2/src/lvm.c +--- lua-5.4.2/src/lvm.c.xyz 2022-10-11 16:02:32.614474444 +0300 ++++ lua-5.4.2/src/lvm.c 2022-10-11 16:04:32.063516541 +0300 +@@ -654,8 +654,10 @@ void luaV_concat (lua_State *L, int tota + /* collect total length and number of strings */ + for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { + size_t l = vslen(s2v(top - n - 1)); +- if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) ++ if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { ++ L->top = top - total; /* pop strings to avoid wasting stack */ + luaG_runerror(L, "string length overflow"); ++ } + tl += l; + } + if (tl <= LUAI_MAXSHORTLEN) { /* is result a short string? */ +@@ -670,7 +672,7 @@ void luaV_concat (lua_State *L, int tota + setsvalue2s(L, top - n, ts); /* create result */ + } + total -= n-1; /* got 'n' strings to create 1 new */ +- L->top -= n-1; /* popped 'n' strings and pushed one */ ++ L->top = top - (n - 1); /* popped 'n' strings and pushed one */ + } while (total > 1); /* repeat until only 1 result left */ + } + diff --git a/lua.spec b/lua.spec index b224523..84fa207 100644 --- a/lua.spec +++ b/lua.spec @@ -14,7 +14,7 @@ Name: lua Version: %{major_version}.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Powerful light-weight programming language License: MIT URL: http://www.lua.org/ @@ -38,6 +38,7 @@ Patch6: %{name}-5.3.5-luac-shared-link-fix.patch %endif # https://www.lua.org/bugs.html Patch18: %{name}-5.3.5-CVE-2020-24370.patch +Patch19: %{name}-5.4.2-CVE-2022-33099.patch BuildRequires: automake autoconf libtool readline-devel ncurses-devel BuildRequires: make @@ -92,6 +93,7 @@ mv src/luaconf.h src/luaconf.h.template.in #%% patch2 -p1 -z .luac-shared %patch3 -p1 -z .configure-linux %patch4 -p1 -z .configure-compat-all +%patch19 -p1 -b .CVE-2022-33099 # Put proper version in configure.ac, patch0 hardcodes 5.3.0 sed -i 's|5.3.0|%{version}|g' configure.ac autoreconf -ifv @@ -209,6 +211,9 @@ popd %{_libdir}/*.a %changelog +* Mon Oct 17 2022 Michal Domonkos - 5.4.2-5 +- apply upstream fix for CVE-2022-33099 + * Mon Aug 09 2021 Mohan Boddu - 5.4.2-4 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688