fix CVE-2021-44647 CVE-2022-28805

2022-04-15 14:11:34 +08:00 · 2022-04-15 14:11:34 +08:00 · 2c7a3fbc76
commit 2c7a3fbc76
parent b7b0964380
3 changed files with 78 additions and 1 deletions
--- a/backport-CVE-2021-44647.patch
+++ b/backport-CVE-2021-44647.patch
@ -0,0 +1,24 @@
+From 1de95e97ef65632a88e08b6184bd9d1ceba7ec2f Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Fri, 10 Dec 2021 10:53:54 -0300
+Subject: [PATCH] Bug: Lua stack still active when closing a state
+
+---
+ src/lstate.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lstate.c b/src/lstate.c
+index c5e3b43..38da773 100644
+--- a/src/lstate.c
+++ b/src/lstate.c
+@@ -271,6 +271,7 @@ static void close_state (lua_State *L) {
+   if (!completestate(g))  /* closing a partially built state? */
+     luaC_freeallobjects(L);  /* jucst collect its objects */
+   else {  /* closing a fully built state */
+    L->ci = &L->base_ci;  /* unwind CallInfo list */
+     luaD_closeprotected(L, 1, LUA_OK);  /* close all upvalues */
+     luaC_freeallobjects(L);  /* collect all objects */
+     luai_userstateclose(L);
+-- 
+1.8.3.1
+
--- a/backport-CVE-2022-28805.patch
+++ b/backport-CVE-2022-28805.patch
@ -0,0 +1,46 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+---
+ lua-5.4.3-tests/attrib.lua | 10 ++++++++++
+ src/lparser.c              |  1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/lua-5.4.3-tests/attrib.lua b/lua-5.4.3-tests/attrib.lua
+index b1076c7..83821c0 100644
+--- a/lua-5.4.3-tests/attrib.lua
+++ b/lua-5.4.3-tests/attrib.lua
+@@ -434,6 +434,16 @@ a.aVeryLongName012345678901234567890123456789012345678901234567890123456789 ==
+ 10)
+ 
+ 
+do
+  -- _ENV constant
+  local function foo ()
+    local _ENV <const> = 11
+    X = "hi"
+  end
+  local st, msg = pcall(foo)
+  assert(not st and string.find(msg, "number"))
+end
+
+ 
+ -- test of large float/integer indices 
+ 
+diff --git a/src/lparser.c b/src/lparser.c
+index 284ef1f..0626833 100644
+--- a/src/lparser.c
+++ b/src/lparser.c
+@@ -457,6 +457,7 @@ static void singlevar (LexState *ls, expdesc *var) {
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
+    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
+-- 
+1.8.3.1
+
--- a/lua.spec
+++ b/lua.spec
@ -6,7 +6,7 @@

 Name:           lua
 Version:        5.4.3
-Release:        5
+Release:        6
 Summary:        A powerful, efficient, lightweight, embeddable scripting language
 License:        MIT
 URL:            http://www.lua.org/
@ -24,6 +24,8 @@ Patch1:         lua-5.3.0-idsize.patch
 Patch2:         lua-5.2.2-configure-linux.patch
 Patch3:         lua-5.3.0-configure-compat-module.patch
 Patch6000:      backport-CVE-2021-43519.patch
+Patch6001:      backport-CVE-2021-44647.patch
+Patch6002:      backport-CVE-2022-28805.patch

 BuildRequires:  automake autoconf libtool readline-devel ncurses-devel

@ -57,6 +59,8 @@ mv src/luaconf.h src/luaconf.h.template.in
 %patch2 -p1 -z .configure-linux
 %patch3 -p1 -z .configure-compat-all
 %patch6000 -p1
+%patch6001 -p1
+%patch6002 -p1

 # Put proper version in configure.ac, patch0 hardcodes 5.3.0
 sed -i 's|5.3.0|%{version}|g' configure.ac
@ -131,6 +135,9 @@ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{_bindir}/lua -e"_U=
 %{_mandir}/man1/lua*.1*

 %changelog
+* Fri Apr 15 2022 shixuantong <shixuantong@h-partners.com> - 5.4.3-6
+- fix CVE-2021-44647 CVE-2022-28805
+
 * Thu Apr 14 2022 shixuantong <shixuantong@h-partners.com> - 5.4.3-5
 - fix CVE-2021-43519 patch error