diff --git a/CVE-2022-28805.patch b/CVE-2022-28805.patch new file mode 100644 index 0000000..9bdc681 --- /dev/null +++ b/CVE-2022-28805.patch @@ -0,0 +1,17 @@ +From: Roberto Ierusalimschy +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010265 + +Origin: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa + +--- a/vendor/lua/src/lparser.c ++++ b/vendor/lua/src/lparser.c +@@ -468,6 +468,7 @@ + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(&key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } diff --git a/memcached.spec b/memcached.spec index 2a6558b..c82d6d5 100644 --- a/memcached.spec +++ b/memcached.spec @@ -7,7 +7,7 @@ Name: memcached Version: 1.6.22 -Release: 3 +Release: 4 Epoch: 0 Summary: A high-performance, distributed memory object caching system License: BSD-3-Clause @@ -19,6 +19,7 @@ Source2: memcached.sysconfig Patch0001: memcached-unit.patch Patch0002: fix-leak-in-config-reload.patch Patch0003: fix-potential-memory-corruption.patch +Patch0004: CVE-2022-28805.patch BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness) BuildRequires: selinux-policy-devel libevent-devel make gcc @@ -66,6 +67,7 @@ optimised for use with this version of memcached. %patch1 -p1 -b .unit %patch2 -p1 -b .reload %patch3 -p1 -b .corruption +%patch4 -p1 %build %configure \ @@ -148,6 +150,9 @@ fi %{_mandir}/man1/memcached.1* %changelog +* Mon Jan 06 2025 yaoxin <1024769339@qq.com> - 0:1.6.22-4 +- Fix for lua CVE-2022-28805 + * Fri Jun 21 2024 yanshuai - 0:1.6.22-3 - crawler: fix potential memory corruption