From 79c2277b1e9158ac5289d940048266cadf8fa783 Mon Sep 17 00:00:00 2001 From: shixuantong <1726671442@qq.com> Date: Fri, 15 Apr 2022 14:11:34 +0800 Subject: [PATCH] fix CVE-2021-44647 CVE-2022-28805 (cherry picked from commit 2c7a3fbc7626288a33f97048a0ef9d56faf75b44) --- backport-CVE-2021-44647.patch | 24 ++++++++++++++++++ backport-CVE-2022-28805.patch | 46 +++++++++++++++++++++++++++++++++++ lua.spec | 9 ++++++- 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-44647.patch create mode 100644 backport-CVE-2022-28805.patch diff --git a/backport-CVE-2021-44647.patch b/backport-CVE-2021-44647.patch new file mode 100644 index 0000000..56bdfb5 --- /dev/null +++ b/backport-CVE-2021-44647.patch @@ -0,0 +1,24 @@ +From 1de95e97ef65632a88e08b6184bd9d1ceba7ec2f Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy +Date: Fri, 10 Dec 2021 10:53:54 -0300 +Subject: [PATCH] Bug: Lua stack still active when closing a state + +--- + src/lstate.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/lstate.c b/src/lstate.c +index c5e3b43..38da773 100644 +--- a/src/lstate.c ++++ b/src/lstate.c +@@ -271,6 +271,7 @@ static void close_state (lua_State *L) { + if (!completestate(g)) /* closing a partially built state? */ + luaC_freeallobjects(L); /* jucst collect its objects */ + else { /* closing a fully built state */ ++ L->ci = &L->base_ci; /* unwind CallInfo list */ + luaD_closeprotected(L, 1, LUA_OK); /* close all upvalues */ + luaC_freeallobjects(L); /* collect all objects */ + luai_userstateclose(L); +-- +1.8.3.1 + diff --git a/backport-CVE-2022-28805.patch b/backport-CVE-2022-28805.patch new file mode 100644 index 0000000..04e79c0 --- /dev/null +++ b/backport-CVE-2022-28805.patch @@ -0,0 +1,46 @@ +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is + +--- + lua-5.4.3-tests/attrib.lua | 10 ++++++++++ + src/lparser.c | 1 + + 2 files changed, 11 insertions(+) + +diff --git a/lua-5.4.3-tests/attrib.lua b/lua-5.4.3-tests/attrib.lua +index b1076c7..83821c0 100644 +--- a/lua-5.4.3-tests/attrib.lua ++++ b/lua-5.4.3-tests/attrib.lua +@@ -434,6 +434,16 @@ a.aVeryLongName012345678901234567890123456789012345678901234567890123456789 == + 10) + + ++do ++ -- _ENV constant ++ local function foo () ++ local _ENV = 11 ++ X = "hi" ++ end ++ local st, msg = pcall(foo) ++ assert(not st and string.find(msg, "number")) ++end ++ + + -- test of large float/integer indices + +diff --git a/src/lparser.c b/src/lparser.c +index 284ef1f..0626833 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -457,6 +457,7 @@ static void singlevar (LexState *ls, expdesc *var) { + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(&key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } +-- +1.8.3.1 + diff --git a/lua.spec b/lua.spec index cc1f518..d5fa0e7 100644 --- a/lua.spec +++ b/lua.spec @@ -6,7 +6,7 @@ Name: lua Version: 5.4.3 -Release: 5 +Release: 6 Summary: A powerful, efficient, lightweight, embeddable scripting language License: MIT URL: http://www.lua.org/ @@ -24,6 +24,8 @@ Patch1: lua-5.3.0-idsize.patch Patch2: lua-5.2.2-configure-linux.patch Patch3: lua-5.3.0-configure-compat-module.patch Patch6000: backport-CVE-2021-43519.patch +Patch6001: backport-CVE-2021-44647.patch +Patch6002: backport-CVE-2022-28805.patch BuildRequires: automake autoconf libtool readline-devel ncurses-devel @@ -57,6 +59,8 @@ mv src/luaconf.h src/luaconf.h.template.in %patch2 -p1 -z .configure-linux %patch3 -p1 -z .configure-compat-all %patch6000 -p1 +%patch6001 -p1 +%patch6002 -p1 # Put proper version in configure.ac, patch0 hardcodes 5.3.0 sed -i 's|5.3.0|%{version}|g' configure.ac @@ -131,6 +135,9 @@ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{_bindir}/lua -e"_U= %{_mandir}/man1/lua*.1* %changelog +* Fri Apr 15 2022 shixuantong - 5.4.3-6 +- fix CVE-2021-44647 CVE-2022-28805 + * Thu Apr 14 2022 shixuantong - 5.4.3-5 - fix CVE-2021-43519 patch error -- Gitee