From d08db8febee70b9ce629fff7b59103218e46425e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 28 Mar 2023 09:16:22 +0000
Subject: [PATCH] import lua-5.4.4-3.el9

---
 .gitignore                             |  4 +-
 .lua.metadata                          |  4 +-
 SOURCES/lua-5.4-CVE-2022-28805.patch   | 22 +++++++++++
 SOURCES/lua-5.4.2-CVE-2022-33099.patch | 51 ++++++++++++++++++++++++++
 SPECS/lua.spec                         | 29 +++++++++++++--
 5 files changed, 103 insertions(+), 7 deletions(-)
 create mode 100644 SOURCES/lua-5.4-CVE-2022-28805.patch
 create mode 100644 SOURCES/lua-5.4.2-CVE-2022-33099.patch

diff --git a/.gitignore b/.gitignore
index da39ea2..1431b81 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 SOURCES/lua-5.3.5.tar.gz
-SOURCES/lua-5.4.2-tests.tar.gz
-SOURCES/lua-5.4.2.tar.gz
+SOURCES/lua-5.4.4-tests.tar.gz
+SOURCES/lua-5.4.4.tar.gz
diff --git a/.lua.metadata b/.lua.metadata
index 817bfa5..71ad1e1 100644
--- a/.lua.metadata
+++ b/.lua.metadata
@@ -1,3 +1,3 @@
 112eb10ff04d1b4c9898e121d6bdf54a81482447 SOURCES/lua-5.3.5.tar.gz
-b75f55632c69f0fff8fa944ac56804a7b8871b94 SOURCES/lua-5.4.2-tests.tar.gz
-96d4a21393c94bed286b8dc0568f4bdde8730b22 SOURCES/lua-5.4.2.tar.gz
+062af7753cd387eea23052fbcad26616a48acadc SOURCES/lua-5.4.4-tests.tar.gz
+03c27684b9d5d9783fb79a7c836ba1cdc5f309cd SOURCES/lua-5.4.4.tar.gz
diff --git a/SOURCES/lua-5.4-CVE-2022-28805.patch b/SOURCES/lua-5.4-CVE-2022-28805.patch
new file mode 100644
index 0000000..c9e36c9
--- /dev/null
+++ b/SOURCES/lua-5.4-CVE-2022-28805.patch
@@ -0,0 +1,22 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+---
+ lparser.c         |  1 +
+ testes/attrib.lua | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/lparser.c b/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
diff --git a/SOURCES/lua-5.4.2-CVE-2022-33099.patch b/SOURCES/lua-5.4.2-CVE-2022-33099.patch
new file mode 100644
index 0000000..39b35ea
--- /dev/null
+++ b/SOURCES/lua-5.4.2-CVE-2022-33099.patch
@@ -0,0 +1,51 @@
+diff -up lua-5.4.2/src/ldebug.c.orig lua-5.4.2/src/ldebug.c
+--- lua-5.4.2/src/ldebug.c.orig	2020-11-13 16:32:00.000000000 +0100
++++ lua-5.4.2/src/ldebug.c	2022-10-21 14:35:02.200941813 +0200
+@@ -772,8 +772,11 @@ l_noret luaG_runerror (lua_State *L, con
+   va_start(argp, fmt);
+   msg = luaO_pushvfstring(L, fmt, argp);  /* format message */
+   va_end(argp);
+-  if (isLua(ci))  /* if Lua function, add source:line information */
++  if (isLua(ci)) {  /* if Lua function, add source:line information */
+     luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci));
++    setobjs2s(L, L->top - 2, L->top - 1);  /* remove 'msg' from the stack */
++    L->top--;
++  }
+   luaG_errormsg(L);
+ }
+ 
+diff -up lua-5.4.2/src/lvm.c.orig lua-5.4.2/src/lvm.c
+--- lua-5.4.2/src/lvm.c.orig	2020-11-13 16:32:02.000000000 +0100
++++ lua-5.4.2/src/lvm.c	2022-10-21 14:35:31.713755890 +0200
+@@ -641,7 +641,7 @@ void luaV_concat (lua_State *L, int tota
+     int n = 2;  /* number of elements handled in this pass (at least 2) */
+     if (!(ttisstring(s2v(top - 2)) || cvt2str(s2v(top - 2))) ||
+         !tostring(L, s2v(top - 1)))
+-      luaT_tryconcatTM(L);
++      luaT_tryconcatTM(L);  /* may invalidate 'top' */
+     else if (isemptystr(s2v(top - 1)))  /* second operand is empty? */
+       cast_void(tostring(L, s2v(top - 2)));  /* result is first operand */
+     else if (isemptystr(s2v(top - 2))) {  /* first operand is empty string? */
+@@ -654,8 +654,10 @@ void luaV_concat (lua_State *L, int tota
+       /* collect total length and number of strings */
+       for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
+         size_t l = vslen(s2v(top - n - 1));
+-        if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl))
++        if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
++          L->top = top - total;  /* pop strings to avoid wasting stack */
+           luaG_runerror(L, "string length overflow");
++        }
+         tl += l;
+       }
+       if (tl <= LUAI_MAXSHORTLEN) {  /* is result a short string? */
+@@ -669,8 +671,8 @@ void luaV_concat (lua_State *L, int tota
+       }
+       setsvalue2s(L, top - n, ts);  /* create result */
+     }
+-    total -= n-1;  /* got 'n' strings to create 1 new */
+-    L->top -= n-1;  /* popped 'n' strings and pushed one */
++    total -= n - 1;  /* got 'n' strings to create one new */
++    L->top -= n - 1;  /* popped 'n' strings and pushed one */
+   } while (total > 1);  /* repeat until only 1 result left */
+ }
+ 
diff --git a/SPECS/lua.spec b/SPECS/lua.spec
index b224523..33a23e6 100644
--- a/SPECS/lua.spec
+++ b/SPECS/lua.spec
@@ -1,6 +1,6 @@
 %global major_version 5.4
 # Normally, this is the same as version, but... not always.
-%global test_version 5.4.2
+%global test_version 5.4.4
 # If you are incrementing major_version, enable bootstrapping and adjust accordingly.
 # Version should be the latest prior build. If you don't do this, RPM will break and
 # everything will grind to a halt.
@@ -13,8 +13,8 @@
 
 
 Name:           lua
-Version:        %{major_version}.2
-Release:        4%{?dist}
+Version:        %{major_version}.4
+Release:        3%{?dist}
 Summary:        Powerful light-weight programming language
 License:        MIT
 URL:            http://www.lua.org/
@@ -38,6 +38,8 @@ Patch6:		%{name}-5.3.5-luac-shared-link-fix.patch
 %endif
 # https://www.lua.org/bugs.html
 Patch18:	%{name}-5.3.5-CVE-2020-24370.patch
+Patch19:	%{name}-5.4.2-CVE-2022-33099.patch
+Patch20:	%{name}-5.4-CVE-2022-28805.patch
 
 BuildRequires:  automake autoconf libtool readline-devel ncurses-devel
 BuildRequires: make
@@ -92,6 +94,8 @@ mv src/luaconf.h src/luaconf.h.template.in
 #%% patch2 -p1 -z .luac-shared
 %patch3 -p1 -z .configure-linux
 %patch4 -p1 -z .configure-compat-all
+%patch19 -p1 -b .CVE-2022-33099
+%patch20 -p1 -b .CVE-2022-28805
 # Put proper version in configure.ac, patch0 hardcodes 5.3.0
 sed -i 's|5.3.0|%{version}|g' configure.ac
 autoreconf -ifv
@@ -209,6 +213,25 @@ popd
 %{_libdir}/*.a
 
 %changelog
+* Fri Feb 03 2023 Florian Festi <ffesti@redhat.com> - 5.4.4-3
+- Apply upstream patch for CVE-2022-28805
+
+* Fri Feb 03 2023 Florian Festi <ffesti@redhat.com> - 5.4.4-2
+- Resolves CVE-2021-43519
+
+* Tue Jan 24 2023 Florian Festi <ffesti@redhat.com> - 5.4.4-1
+- Rebase to lua 5.4.4
+- Resolves CVE-2021-44964
+
+* Tue Oct 25 2022 Michal Domonkos <mdomonko@redhat.com> - 5.4.2-7
+- Fix up CVE-2022-33099 patch
+
+* Mon Oct 17 2022 Michal Domonkos <mdomonko@redhat.com> - 5.4.2-6
+- Enable gating
+
+* Mon Oct 17 2022 Michal Domonkos <mdomonko@redhat.com> - 5.4.2-5
+- apply upstream fix for CVE-2022-33099
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 5.4.2-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688