diff --git a/1f3c6f4534c6411313361697d98d1145a1f030fa.patch b/1f3c6f4534c6411313361697d98d1145a1f030fa.patch new file mode 100644 index 0000000..5ed133c --- /dev/null +++ b/1f3c6f4534c6411313361697d98d1145a1f030fa.patch @@ -0,0 +1,43 @@ +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is + +--- + lparser.c | 1 + + testes/attrib.lua | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/lparser.c b/lparser.c +index 3abe3d751..a5cd55257 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) { + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(&key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } +diff --git a/testes/attrib.lua b/testes/attrib.lua +index b1076c768..83821c069 100644 +--- lua-5.4.4/lua-5.4.4-tests/attrib.lua ++++ lua-5.4.4/lua-5.4.4-tests/attrib.lua +@@ -434,6 +434,16 @@ a.aVeryLongName012345678901234567890123456789012345678901234567890123456789 == + 10) + + ++do ++ -- _ENV constant ++ local function foo () ++ local _ENV = 11 ++ X = "hi" ++ end ++ local st, msg = pcall(foo) ++ assert(not st and string.find(msg, "number")) ++end ++ + + -- test of large float/integer indices + diff --git a/25b143dd34fb587d1e35290c4b25bc08954800e2.patch b/25b143dd34fb587d1e35290c4b25bc08954800e2.patch new file mode 100644 index 0000000..5f99f7b --- /dev/null +++ b/25b143dd34fb587d1e35290c4b25bc08954800e2.patch @@ -0,0 +1,94 @@ +From 25b143dd34fb587d1e35290c4b25bc08954800e2 Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy +Date: Mon, 7 Feb 2022 10:16:35 -0300 +Subject: [PATCH] Bug: lua.c assumes that argv has at least one element + +--- + lua.c | 35 +++++++++++++++++++++++------------ + 1 file changed, 23 insertions(+), 12 deletions(-) + +diff --git a/lua.c b/lua.c +index 0f1900444..7f7dc2b22 100644 +--- a/src/lua.c ++++ b/src/lua.c +@@ -177,10 +177,11 @@ static void print_version (void) { + ** to the script (everything after 'script') go to positive indices; + ** other arguments (before the script name) go to negative indices. + ** If there is no script name, assume interpreter's name as base. ++** (If there is no interpreter's name either, 'script' is -1, so ++** table sizes are zero.) + */ + static void createargtable (lua_State *L, char **argv, int argc, int script) { + int i, narg; +- if (script == argc) script = 0; /* no script name? */ + narg = argc - (script + 1); /* number of positive indices */ + lua_createtable(L, narg, script + 1); + for (i = 0; i < argc; i++) { +@@ -268,14 +269,23 @@ static int handle_script (lua_State *L, char **argv) { + + /* + ** Traverses all arguments from 'argv', returning a mask with those +-** needed before running any Lua code (or an error code if it finds +-** any invalid argument). 'first' returns the first not-handled argument +-** (either the script name or a bad argument in case of error). ++** needed before running any Lua code or an error code if it finds any ++** invalid argument. In case of error, 'first' is the index of the bad ++** argument. Otherwise, 'first' is -1 if there is no program name, ++** 0 if there is no script name, or the index of the script name. + */ + static int collectargs (char **argv, int *first) { + int args = 0; + int i; +- for (i = 1; argv[i] != NULL; i++) { ++ if (argv[0] != NULL) { /* is there a program name? */ ++ if (argv[0][0]) /* not empty? */ ++ progname = argv[0]; /* save it */ ++ } ++ else { /* no program name */ ++ *first = -1; ++ return 0; ++ } ++ for (i = 1; argv[i] != NULL; i++) { /* handle arguments */ + *first = i; + if (argv[i][0] != '-') /* not an option? */ + return args; /* stop handling options */ +@@ -316,7 +326,7 @@ static int collectargs (char **argv, int *first) { + return has_error; + } + } +- *first = i; /* no script name */ ++ *first = 0; /* no script name */ + return args; + } + +@@ -609,8 +619,8 @@ static int pmain (lua_State *L) { + char **argv = (char **)lua_touserdata(L, 2); + int script; + int args = collectargs(argv, &script); ++ int optlim = (script > 0) ? script : argc; /* first argv not an option */ + luaL_checkversion(L); /* check that interpreter has correct version */ +- if (argv[0] && argv[0][0]) progname = argv[0]; + if (args == has_error) { /* bad arg? */ + print_usage(argv[script]); /* 'script' has index of bad arg. */ + return 0; +@@ -628,14 +638,15 @@ static int pmain (lua_State *L) { + if (handle_luainit(L) != LUA_OK) /* run LUA_INIT */ + return 0; /* error running LUA_INIT */ + } +- if (!runargs(L, argv, script)) /* execute arguments -e and -l */ ++ if (!runargs(L, argv, optlim)) /* execute arguments -e and -l */ + return 0; /* something failed */ +- if (script < argc && /* execute main script (if there is one) */ +- handle_script(L, argv + script) != LUA_OK) +- return 0; ++ if (script > 0) { /* execute main script (if there is one) */ ++ if (handle_script(L, argv + script) != LUA_OK) ++ return 0; /* interrupt in case of error */ ++ } + if (args & has_i) /* -i option? */ + doREPL(L); /* do read-eval-print loop */ +- else if (script == argc && !(args & (has_e | has_v))) { /* no arguments? */ ++ else if (script < 1 && !(args & (has_e | has_v))) { /* no active option? */ + if (lua_stdin_is_tty()) { /* running in interactive mode? */ + print_version(); + doREPL(L); /* do read-eval-print loop */ diff --git a/lua.spec b/lua.spec index f40c032..3bce4f8 100644 --- a/lua.spec +++ b/lua.spec @@ -14,7 +14,7 @@ Name: lua Version: %{major_version}.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Powerful light-weight programming language License: MIT URL: http://www.lua.org/ @@ -37,6 +37,11 @@ Patch5: %{name}-5.3.0-autotoolize.patch Patch6: %{name}-5.3.5-luac-shared-link-fix.patch %endif # https://www.lua.org/bugs.html +# 5.4.4 Bug 1 +Patch7: https://github.com/lua/lua/commit/25b143dd34fb587d1e35290c4b25bc08954800e2.patch +# 5.4.4 Bug 2 +Patch8: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa.patch + BuildRequires: automake autoconf libtool readline-devel ncurses-devel BuildRequires: make @@ -91,6 +96,8 @@ mv src/luaconf.h src/luaconf.h.template.in #%% patch2 -p1 -z .luac-shared %patch3 -p1 -z .configure-linux %patch4 -p1 -z .configure-compat-all +%patch7 -p1 -b .5.4.4-bug1 +%patch8 -p1 -b .5.4.4-bug2 # Put proper version in configure.ac, patch0 hardcodes 5.3.0 sed -i 's|5.3.0|%{version}|g' configure.ac autoreconf -ifv @@ -207,6 +214,9 @@ popd %{_libdir}/*.a %changelog +* Tue Apr 5 2022 Tom Callaway - 5.4.4-2 +- upstream bug fixes + * Tue Feb 1 2022 Tom Callaway - 5.4.4-1 - update to 5.4.4, update bootstrap code to 5.3.6 - 5.4.4 contains the fix for 5.4.3 bug7, which is also CVE-2021-43519