backport lua upstream patch to fix CVE-2022-28805

(cherry picked from commit 61dc4d0f9c9bc41a0f614a7fe92ddba8bdefd45e)
2025-01-15 07:19:13 +00:00 · 2025-01-15 07:19:13 +00:00 · bfea188fea
commit bfea188fea
parent 053725c156
2 changed files with 34 additions and 1 deletions
--- a/backport-Bug-Lua-can-generate-wrong-code-when-_ENV-is-const.patch
+++ b/backport-Bug-Lua-can-generate-wrong-code-when-_ENV-is-const.patch
@ -0,0 +1,26 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+Conflict: remove testes/attrib.lua and adapt lparser.c file directory
+Reference: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
+
+---
+ liblua/lparser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/liblua/lparser.c b/liblua/lparser.c
+index 3abe3d7..a5cd552 100644
+--- a/liblua/lparser.c
+++ b/liblua/lparser.c
+@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
+    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
+--
+2.43.0
--- a/nmap.spec
+++ b/nmap.spec
@ -3,7 +3,7 @@
 Name:           nmap
 Epoch:          2
 Version:        7.94
-Release:        6
+Release:        7
 License:        GPL-2.0-or-later
 Summary:        A tool for network discovery and security auditing.
 Requires:       %{name}-ncat = %{epoch}:%{version}-%{release}
@ -24,6 +24,7 @@ Patch0005:      backport-remove-nse_pcrelib-from-build.patch
 Patch0006:      backport-nping-fix-out-of-bounds-access.patch
 Patch0007:      backport-Ncat-server-UDP-do-not-quit-after-EOF-on-STDIN.-Fixe.patch
 Patch0008:      remove-password-printing.patch
+Patch0009:      backport-Bug-Lua-can-generate-wrong-code-when-_ENV-is-const.patch

 %define pixmap_srcdir zenmap/share/pixmaps

@ -74,6 +75,12 @@ ln -s ncat %{buildroot}%{_bindir}/nc
 %{_mandir}/man1/*.1.gz

 %changelog
+* Wed Jan 15 2025 xingwei <xingwei14@h-partners.com> - 2:7.94-7
+- Type:CVE
+- CVE:CVE-2022-28805
+- SUG:NA
+- DESC:backport lua upstream patch to fix CVE-2022-28805
+
 * Fri Jun 14 2024 xinghe <xinghe2@h-partners.com> - 2:7.94-6
 - Type:bugfix
 - CVE:NA