fix CVE-2021-44647 CVE-2022-28805

2022-04-15 14:11:34 +08:00 · 2022-04-15 14:11:34 +08:00 · 2c7a3fbc76
commit 2c7a3fbc76
parent b7b0964380
3 changed files with 78 additions and 1 deletions
--- a/backport-CVE-2021-44647.patch
+++ b/backport-CVE-2021-44647.patch
@ -0,0 +1,24 @@
 From 1de95e97ef65632a88e08b6184bd9d1ceba7ec2f Mon Sep 17 00:00:00 2001
 From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
 Date: Fri, 10 Dec 2021 10:53:54 -0300
 Subject: [PATCH] Bug: Lua stack still active when closing a state
 ---
 src/lstate.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/lstate.c b/src/lstate.c
 index c5e3b43..38da773 100644
 --- a/src/lstate.c
 +++ b/src/lstate.c
@@ -271,6 +271,7 @@ static void close_state (lua_State *L) {
   if (!completestate(g))  /* closing a partially built state? */
     luaC_freeallobjects(L);  /* jucst collect its objects */
   else {  /* closing a fully built state */
 +    L->ci = &L->base_ci;  /* unwind CallInfo list */
     luaD_closeprotected(L, 1, LUA_OK);  /* close all upvalues */
     luaC_freeallobjects(L);  /* collect all objects */
     luai_userstateclose(L);
 -- 
 1.8.3.1
--- a/backport-CVE-2022-28805.patch
+++ b/backport-CVE-2022-28805.patch
@ -0,0 +1,46 @@
 From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
 From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
 Date: Tue, 15 Feb 2022 12:28:46 -0300
 Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
 ---
 lua-5.4.3-tests/attrib.lua | 10 ++++++++++
 src/lparser.c              |  1 +
 2 files changed, 11 insertions(+)
 diff --git a/lua-5.4.3-tests/attrib.lua b/lua-5.4.3-tests/attrib.lua
 index b1076c7..83821c0 100644
 --- a/lua-5.4.3-tests/attrib.lua
 +++ b/lua-5.4.3-tests/attrib.lua
@@ -434,6 +434,16 @@ a.aVeryLongName012345678901234567890123456789012345678901234567890123456789 ==
 10)
 +do
 +  -- _ENV constant
 +  local function foo ()
 +    local _ENV <const> = 11
 +    X = "hi"
 +  end
 +  local st, msg = pcall(foo)
 +  assert(not st and string.find(msg, "number"))
 +end
 +
 -- test of large float/integer indices 
 diff --git a/src/lparser.c b/src/lparser.c
 index 284ef1f..0626833 100644
 --- a/src/lparser.c
 +++ b/src/lparser.c
@@ -457,6 +457,7 @@ static void singlevar (LexState *ls, expdesc *var) {
     expdesc key;
     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
     lua_assert(var->k != VVOID);  /* this one must exist */
 +    luaK_exp2anyregup(fs, var);  /* but could be a constant */
     codestring(&key, varname);  /* key is variable name */
     luaK_indexed(fs, var, &key);  /* env[varname] */
   }
 -- 
 1.8.3.1
--- a/lua.spec
+++ b/lua.spec
@ -6,7 +6,7 @@
 Name:           lua
 Version:        5.4.3
-Release:        5
+Release:        6
 Summary:        A powerful, efficient, lightweight, embeddable scripting language
 License:        MIT
 URL:            http://www.lua.org/
@ -24,6 +24,8 @@ Patch1:         lua-5.3.0-idsize.patch
 Patch2:         lua-5.2.2-configure-linux.patch
 Patch3:         lua-5.3.0-configure-compat-module.patch
 Patch6000:      backport-CVE-2021-43519.patch
 Patch6001:      backport-CVE-2021-44647.patch
 Patch6002:      backport-CVE-2022-28805.patch
 BuildRequires:  automake autoconf libtool readline-devel ncurses-devel
@ -57,6 +59,8 @@ mv src/luaconf.h src/luaconf.h.template.in
 %patch2 -p1 -z .configure-linux
 %patch3 -p1 -z .configure-compat-all
 %patch6000 -p1
 %patch6001 -p1
 %patch6002 -p1
 # Put proper version in configure.ac, patch0 hardcodes 5.3.0
 sed -i 's|5.3.0|%{version}|g' configure.ac
@ -131,6 +135,9 @@ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{_bindir}/lua -e"_U=
 %{_mandir}/man1/lua*.1*
 %changelog
 * Fri Apr 15 2022 shixuantong <shixuantong@h-partners.com> - 5.4.3-6
 - fix CVE-2021-44647 CVE-2022-28805
 * Thu Apr 14 2022 shixuantong <shixuantong@h-partners.com> - 5.4.3-5
 - fix CVE-2021-43519 patch error