From b7b7312e06c65a3a1b21046c58189d2135367510 Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Mon, 28 Jan 2019 09:29:21 -0500 Subject: [PATCH] apply fix for CVE-2019-6706 (bz1670020) --- ...-6706-use-after-free-lua_upvaluejoin.patch | 22 +++++++++++++++++++ lua.spec | 7 +++++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-6706-use-after-free-lua_upvaluejoin.patch diff --git a/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch b/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch new file mode 100644 index 0000000..a7aaf9c --- /dev/null +++ b/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch @@ -0,0 +1,22 @@ +--- a/src/lapi.c ++++ b/src/lapi.c +@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State * + + LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, + int fidx2, int n2) { +- LClosure *f1; +- UpVal **up1 = getupvalref(L, fidx1, n1, &f1); ++ UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */ + UpVal **up2 = getupvalref(L, fidx2, n2, NULL); ++ if (*up1 == *up2) return; /* Already joined */ ++ (*up2)->refcount++; ++ if (upisopen(*up2)) (*up2)->u.open.touched = 1; ++ luaC_upvalbarrier(L, *up2); + luaC_upvdeccount(L, *up1); + *up1 = *up2; +- (*up1)->refcount++; +- if (upisopen(*up1)) (*up1)->u.open.touched = 1; +- luaC_upvalbarrier(L, *up1); + } + + diff --git a/lua.spec b/lua.spec index 2dc7cfa..02d155d 100644 --- a/lua.spec +++ b/lua.spec @@ -15,7 +15,7 @@ Name: lua Version: %{major_version}.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Powerful light-weight programming language Group: Development/Languages License: MIT @@ -42,6 +42,7 @@ Patch6: %{name}-5.2.2-idsize.patch Patch7: %{name}-5.2.2-luac-shared-link-fix.patch Patch8: %{name}-5.2.2-configure-compat-module.patch %endif +Patch9: CVE-2019-6706-use-after-free-lua_upvaluejoin.patch BuildRequires: automake autoconf libtool readline-devel ncurses-devel Requires: lua-libs = %{version}-%{release} @@ -94,6 +95,7 @@ mv src/luaconf.h src/luaconf.h.template.in #%% patch2 -p1 -z .luac-shared %patch3 -p1 -z .configure-linux %patch4 -p1 -z .configure-compat-all +%patch9 -p1 -b .CVE-2019-6706 # Put proper version in configure.ac, patch0 hardcodes 5.3.0 sed -i 's|5.3.0|%{version}|g' configure.ac autoreconf -ifv @@ -215,6 +217,9 @@ install -Dpm 0644 %{SOURCE1000} $RPM_BUILD_ROOT/%{macrosdir}/macros.lua %changelog +* Mon Jan 28 2019 Tom Callaway - 5.3.5-3 +- apply fix for CVE-2019-6706 (bz1670020) + * Fri Jul 13 2018 Fedora Release Engineering - 5.3.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild