Fix for lua CVE-2022-28805

CVE-2022-28805.patch

@@ -0,0 +1,17 @@
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010265
+
+Origin: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
+
+--- a/vendor/lua/src/lparser.c
++++ b/vendor/lua/src/lparser.c
+@@ -468,6 +468,7 @@
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }

memcached.spec

@@ -7,7 +7,7 @@
 
 Name:          memcached
 Version:       1.6.22
-Release:       3
+Release:       4
 Epoch:         0
 Summary:       A high-performance, distributed memory object caching system
 License:       BSD-3-Clause
@@ -19,6 +19,7 @@ Source2:       memcached.sysconfig
 Patch0001:     memcached-unit.patch
 Patch0002:     fix-leak-in-config-reload.patch
 Patch0003:     fix-potential-memory-corruption.patch
+Patch0004:     CVE-2022-28805.patch
 
 BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness)
 BuildRequires: selinux-policy-devel libevent-devel make gcc
@@ -66,6 +67,7 @@ optimised for use with this version of memcached.
 %patch1 -p1 -b .unit
 %patch2 -p1 -b .reload
 %patch3 -p1 -b .corruption
+%patch4 -p1
 
 %build
 %configure \
@@ -148,6 +150,9 @@ fi
 %{_mandir}/man1/memcached.1*
 
 %changelog
+* Mon Jan 06 2025 yaoxin <1024769339@qq.com> - 0:1.6.22-4
+- Fix for lua CVE-2022-28805
+
 * Fri Jun 21 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.22-3
 - crawler: fix potential memory corruption