!74 [sync] PR-72: backport lua upstream patch to fix CVE-2022-28805

From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

backport-Bug-Lua-can-generate-wrong-code-when-_ENV-is-const.patch

@@ -0,0 +1,26 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+Conflict: remove testes/attrib.lua and adapt lparser.c file directory
+Reference: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
+
+---
+ liblua/lparser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/liblua/lparser.c b/liblua/lparser.c
+index 3abe3d7..a5cd552 100644
+--- a/liblua/lparser.c
++++ b/liblua/lparser.c
+@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
+--
+2.43.0

backport-Ncat-server-UDP-do-not-quit-after-EOF-on-STDIN.-Fixe.patch

@@ -0,0 +1,31 @@
+From d4e769197afccf425ec16dae5faeece72e8a5130 Mon Sep 17 00:00:00 2001
+From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
+Date: Thu, 27 Jul 2023 17:31:48 +0000
+Subject: [PATCH] Ncat server UDP: do not quit after EOF on STDIN. Fixes #2685
+
+Conflict: NA
+Reference: https://github.com/nmap/nmap/commit/d4e769197afccf425ec16dae5faeece72e8a5130
+
+diff --git a/ncat/ncat_listen.c b/ncat/ncat_listen.c
+index 3cecb64f8..c307c68c4 100644
+--- a/ncat/ncat_listen.c
++++ b/ncat/ncat_listen.c
+@@ -376,13 +376,13 @@ restart_fd_loop:
+                 } else {
+                     /* Read from stdin and write to all clients. */
+                     rc = read_stdin();
+-                    if (rc == 0) {
++                    if (rc == 0 && type == SOCK_STREAM) {
+                         if (o.proto != IPPROTO_TCP || (o.proto == IPPROTO_TCP && o.sendonly)) {
+                             /* There will be nothing more to send. If we're not
+                                receiving anything, we can quit here. */
+                             return 0;
+                         }
+-                        if (!o.noshutdown && type == SOCK_STREAM) shutdown_sockets(SHUT_WR);
++                        if (!o.noshutdown) shutdown_sockets(SHUT_WR);
+                     }
+                     if (rc < 0)
+                         return 1;
+-- 
+2.33.0
+

nmap.spec

@@ -3,8 +3,8 @@
 Name:           nmap
 Epoch:          2
 Version:        7.94
-Release:        2
+Release:        7
-License:        Nmap
+License:        GPL-2.0-or-later
 Summary:        A tool for network discovery and security auditing.
 Requires:       %{name}-ncat = %{epoch}:%{version}-%{release}
 URL:            https://nmap.org/
@@ -22,6 +22,9 @@ Patch0003:      nmap-replace-sensitive-words.patch
 Patch0004:      backport-upgrade-libpcre-to-PCRE2-10.42.patch
 Patch0005:      backport-remove-nse_pcrelib-from-build.patch
 Patch0006:      backport-nping-fix-out-of-bounds-access.patch
+Patch0007:      backport-Ncat-server-UDP-do-not-quit-after-EOF-on-STDIN.-Fixe.patch
+Patch0008:      remove-password-printing.patch
+Patch0009:      backport-Bug-Lua-can-generate-wrong-code-when-_ENV-is-const.patch
 
 %define pixmap_srcdir zenmap/share/pixmaps
 
@@ -44,6 +47,9 @@ export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
 
 sed -i 's/-md/-mf/' nping/docs/nping.1
 
+%check
+make check
+
 %install
 make DESTDIR=%{buildroot} STRIP=true install
 
@@ -69,6 +75,36 @@ ln -s ncat %{buildroot}%{_bindir}/nc
 %{_mandir}/man1/*.1.gz
 
 %changelog
+* Wed Jan 15 2025 xingwei <xingwei14@h-partners.com> - 2:7.94-7
+- Type:CVE
+- CVE:CVE-2022-28805
+- SUG:NA
+- DESC:backport lua upstream patch to fix CVE-2022-28805
+
+* Fri Jun 14 2024 xinghe <xinghe2@h-partners.com> - 2:7.94-6
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix license
+
+* Tue Jan 16 2024 xingwei <xingwei14@h-partners.com> - 2:7.94-5
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:remove password printing
+
+* Fri Sep 15 2023 xingwei <xingwei14@h-partners.com> - 2:7.94-4
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:enable dt check
+
+* Tue Sep 12 2023 xingwei <xingwei14@h-partners.com> - 2:7.94-3
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:Ncat server UDP: do not quit after EOF on STDIN
+
 * Wed Aug 23 2023 xingwei <xingwei14@h-partners.com> - 2:7.94-2
 - Type:bugfix
 - CVE:

remove-password-printing.patch

@@ -0,0 +1,200 @@
+From fe806cf15853ecdf6fed2af57f21cf55e3b388b8 Mon Sep 17 00:00:00 2001
+From: gaoxingwang <gaoxingwang1@huawei.com>
+Date: Tue, 31 Jan 2023 16:47:32 +0800
+Subject: [PATCH] remove password printing
+
+---
+ scripts/broadcast-ospf2-discover.nse |  2 +-
+ scripts/cassandra-brute.nse          | 14 +++++++-------
+ scripts/cics-user-brute.nse          |  2 +-
+ scripts/ldap-brute.nse               | 12 ++++++------
+ scripts/nje-pass-brute.nse           |  2 +-
+ scripts/oracle-brute.nse             |  2 +-
+ scripts/tso-brute.nse                |  4 ++--
+ 7 files changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/scripts/broadcast-ospf2-discover.nse b/scripts/broadcast-ospf2-discover.nse
+index ad3fca0..b33c366 100644
+--- a/scripts/broadcast-ospf2-discover.nse
++++ b/scripts/broadcast-ospf2-discover.nse
+@@ -124,7 +124,7 @@ local ospfDumpHello = function(hello)
+   stdnse.print_debug(2, "| Checksum:          %s", hello.header.chksum)
+   stdnse.print_debug(2, "| Auth Type:         %s", hello.header.auth_type)
+   if hello.header.auth_type == 0x01 then
+-    stdnse.print_debug(2, "| Auth Password:     %s", hello.header.auth_data.password)
++    -- stdnse.print_debug(2, "| Auth Password:     %s", hello.header.auth_data.password)
+   elseif hello.header.auth_type == 0x02 then
+     stdnse.print_debug(2, "| Auth Crypt Key ID: %s", hello.header.auth_data.keyid)
+     stdnse.print_debug(2, "| Auth Data Length:  %s", hello.header.auth_data.length)
+diff --git a/scripts/cassandra-brute.nse b/scripts/cassandra-brute.nse
+index 8363c65..c2dd124 100644
+--- a/scripts/cassandra-brute.nse
++++ b/scripts/cassandra-brute.nse
+@@ -54,21 +54,21 @@ Driver = {
+     local status, err = self.socket:send(string.pack(">I4", #loginstr))
+     local combo = username..":"..password
+     if ( not(status) ) then
+-      local err = brute.Error:new( "couldn't send length:"..combo )
++      local err = brute.Error:new( "couldn't send length:" )
+       err:setAbort( true )
+       return false, err
+     end
+ 
+     status, err = self.socket:send(loginstr)
+     if ( not(status) ) then
+-      local err = brute.Error:new( "couldn't send login packet: "..combo )
++      local err = brute.Error:new( "couldn't send login packet: " )
+       err:setAbort( true )
+       return false, err
+     end
+ 
+     local status, response = self.socket:receive_bytes(22)
+     if ( not(status) ) then
+-      local err = brute.Error:new( "couldn't receive login reply size: "..combo )
++      local err = brute.Error:new( "couldn't receive login reply size: " )
+       err:setAbort( true )
+       return false, err
+     end
+@@ -78,16 +78,16 @@ Driver = {
+     magic = string.sub(response,18,22)
+ 
+     if (magic == cassandra.LOGINSUCC) then
+-      stdnse.debug3("Account SUCCESS: "..combo)
++      stdnse.debug3("Account SUCCESS: ")
+       return true, creds.Account:new(username, password, creds.State.VALID)
+     elseif (magic == cassandra.LOGINFAIL) then
+-      stdnse.debug3("Account FAIL: "..combo)
++      stdnse.debug3("Account FAIL: ")
+       return false, brute.Error:new( "Incorrect password" )
+     elseif (magic == cassandra.LOGINACC) then
+-      stdnse.debug3("Account VALID, but wrong password: "..combo)
++      stdnse.debug3("Account VALID, but wrong password: ")
+       return false, brute.Error:new( "Good user, bad password" )
+     else
+-      stdnse.debug3("Unrecognized packet for "..combo)
++      stdnse.debug3("Unrecognized packet for ")
+       stdnse.debug3("packet hex: %s", stdnse.tohex(response) )
+       stdnse.debug3("size packet hex: %s", stdnse.tohex(size) )
+       stdnse.debug3("magic packet hex: %s", stdnse.tohex(magic) )
+diff --git a/scripts/cics-user-brute.nse b/scripts/cics-user-brute.nse
+index 768813e..559d752 100644
+--- a/scripts/cics-user-brute.nse
++++ b/scripts/cics-user-brute.nse
+@@ -176,7 +176,7 @@ Driver = {
+            self.tn3270:find('TSS7000I')  or
+            self.tn3270:find('TSS7110E Password Has Expired. New Password Missing')  or
+            self.tn3270:find('TSS7001I')  then
+-      stdnse.verbose("Valid CICS UserID / Password: " .. user .. "/" .. pass)
++      -- stdnse.verbose("Valid CICS UserID / Password: " .. user .. "/" .. pass)
+       return true, creds.Account:new(user, pass, creds.State.VALID)
+     else
+       -- ok whoa, something happened, print the screen but don't store as valid
+diff --git a/scripts/ldap-brute.nse b/scripts/ldap-brute.nse
+index b239525..085e3a0 100644
+--- a/scripts/ldap-brute.nse
++++ b/scripts/ldap-brute.nse
+@@ -233,7 +233,7 @@ action = function( host, port )
+       -- Login correct, account disabled
+       if not status and response:match("AcceptSecurityContext error, data 533,") then
+         table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account disabled", fq_username, password:len()>0 and password or "<empty>" ) )
+-        stdnse.verbose2("%s:%s => Valid credentials, account disabled", fq_username, password:len()>0 and password or "<empty>" )
++        -- stdnse.verbose2("%s:%s => Valid credentials, account disabled", fq_username, password:len()>0 and password or "<empty>" )
+         credTable:add(fq_username,password, creds.State.DISABLED_VALID)
+         break
+       end
+@@ -241,7 +241,7 @@ action = function( host, port )
+       -- Login correct, user must change password
+       if not status and response:match("AcceptSecurityContext error, data 773,") then
+         table.insert( valid_accounts, string.format("%s:%s => Valid credentials, password must be changed at next logon", fq_username, password:len()>0 and password or "<empty>" ) )
+-        stdnse.verbose2("%s:%s => Valid credentials, password must be changed at next logon", fq_username, password:len()>0 and password or "<empty>")
++        -- stdnse.verbose2("%s:%s => Valid credentials, password must be changed at next logon", fq_username, password:len()>0 and password or "<empty>")
+         credTable:add(fq_username,password, creds.State.CHANGEPW)
+         break
+       end
+@@ -249,7 +249,7 @@ action = function( host, port )
+       -- Login correct, user account expired
+       if not status and response:match("AcceptSecurityContext error, data 701,") then
+         table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account expired", fq_username, password:len()>0 and password or "<empty>" ) )
+-        stdnse.verbose2("%s:%s => Valid credentials, account expired", fq_username, password:len()>0 and password or "<empty>")
++        -- stdnse.verbose2("%s:%s => Valid credentials, account expired", fq_username, password:len()>0 and password or "<empty>")
+         credTable:add(fq_username,password, creds.State.EXPIRED)
+         break
+       end
+@@ -257,7 +257,7 @@ action = function( host, port )
+       -- Login correct, user account logon time restricted
+       if not status and response:match("AcceptSecurityContext error, data 530,") then
+         table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account cannot log in at current time", fq_username, password:len()>0 and password or "<empty>" ) )
+-        stdnse.verbose2("%s:%s => Valid credentials, account cannot log in at current time", fq_username, password:len()>0 and password or "<empty>")
++        -- stdnse.verbose2("%s:%s => Valid credentials, account cannot log in at current time", fq_username, password:len()>0 and password or "<empty>")
+         credTable:add(fq_username,password, creds.State.TIME_RESTRICTED)
+         break
+       end
+@@ -265,7 +265,7 @@ action = function( host, port )
+       -- Login correct, user account can only log in from certain workstations
+       if not status and response:match("AcceptSecurityContext error, data 531,") then
+         table.insert( valid_accounts, string.format("%s:%s => Valid credentials, account cannot log in from current host", fq_username, password:len()>0 and password or "<empty>" ) )
+-        stdnse.verbose2("%s:%s => Valid credentials, account cannot log in from current host", fq_username, password:len()>0 and password or "<empty>")
++        -- stdnse.verbose2("%s:%s => Valid credentials, account cannot log in from current host", fq_username, password:len()>0 and password or "<empty>")
+         credTable:add(fq_username,password, creds.State.HOST_RESTRICTED)
+         break
+       end
+@@ -275,7 +275,7 @@ action = function( host, port )
+         status = is_valid_credential( socket, context )
+         if status then
+           table.insert( valid_accounts, string.format("%s:%s => Valid credentials", fq_username, password:len()>0 and password or "<empty>" ) )
+-          stdnse.verbose2("%s:%s => Valid credentials", fq_username, password:len()>0 and password or "<empty>")
++          -- stdnse.verbose2("%s:%s => Valid credentials", fq_username, password:len()>0 and password or "<empty>")
+           -- Add credentials for other ldap scripts to use
+           if nmap.registry.ldapaccounts == nil then
+             nmap.registry.ldapaccounts = {}
+diff --git a/scripts/nje-pass-brute.nse b/scripts/nje-pass-brute.nse
+index 5cb29f6..1213906 100644
+--- a/scripts/nje-pass-brute.nse
++++ b/scripts/nje-pass-brute.nse
+@@ -113,7 +113,7 @@ Driver = {
+     -- When we send an 'I' record, if the password is invalid it will reply with a 'B' record
+     -- B in EBCDIC is 0xC2
+     if data:sub(19,19) ~= "\xc2" then
+-      stdnse.verbose(2,"Valid NJE Password: %s", password)
++      -- stdnse.verbose(2,"Valid NJE Password: %s", password)
+       return true, creds.Account:new("Password", password, creds.State.VALID)
+     end
+     return false, brute.Error:new( "Invalid Password" )
+diff --git a/scripts/oracle-brute.nse b/scripts/oracle-brute.nse
+index 8a94987..1fb4b0e 100644
+--- a/scripts/oracle-brute.nse
++++ b/scripts/oracle-brute.nse
+@@ -156,7 +156,7 @@ Driver =
+       return true, creds.Account:new(username .. " as sysdba", password, creds.State.VALID)
+     -- check for any other message
+     elseif ( data:match("ORA[-]%d+")) then
+-      stdnse.debug3("username: %s, password: %s, error: %s", username, password, data )
++      -- stdnse.debug3("username: %s, password: %s, error: %s", username, password, data )
+       return false, brute.Error:new(data)
+     -- any other errors are likely communication related, attempt to re-try
+     else
+diff --git a/scripts/tso-brute.nse b/scripts/tso-brute.nse
+index ff52c0c..2690a13 100644
+--- a/scripts/tso-brute.nse
++++ b/scripts/tso-brute.nse
+@@ -99,7 +99,7 @@ Driver = {
+     local skip = self.options['skip']
+     stdnse.debug(2,"Getting to TSO")
+     local run = stringaux.strsplit(";%s*", commands)
+-    stdnse.verbose(2,"Trying User ID/Password: %s/%s", user, pass)
++    -- stdnse.verbose(2,"Trying User ID/Password: %s/%s", user, pass)
+     for i = 1, #run do
+       stdnse.debug(2,"Issuing Command (#%s of %s): %s", i, #run ,run[i])
+       if i == #run and run[i]:upper():find("LOGON APPLID") and skip then
+@@ -159,7 +159,7 @@ Driver = {
+       return false,  brute.Error:new( "User ID not authorized to use TSO" )
+     else
+       -- It's a valid account so lets try a password
+-      stdnse.debug(2,"%s is a valid TSO User ID. Trying Password: %s", string.upper(user), pass)
++      -- stdnse.debug(2,"%s is a valid TSO User ID. Trying Password: %s", string.upper(user), pass)
+       if always_logon then
+         local writeable = self.tn3270:writeable()
+         -- This turns on the 'reconnect' which may boot users off
+-- 
+2.33.0
+