!78 [sync] PR-74: fix CVE-2020-24370

From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

backport-CVE-2020-24370.patch

@@ -0,0 +1,36 @@
+From b5bc89846721375fe30772eb8c5ab2786f362bf9 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Mon, 3 Aug 2020 16:25:28 -0300
+Subject: [PATCH] Fixed bug: Negation overflow in getlocal/setlocal
+
+---
+ com32/lua/src/ldebug.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/com32/lua/src/ldebug.c b/com32/lua/src/ldebug.c
+index e1389296e..bb0e1d4ac 100644
+--- a/com32/lua/src/ldebug.c
++++ b/com32/lua/src/ldebug.c
+@@ -133,10 +133,11 @@ static const char *upvalname (Proto *p, int uv) {
+ 
+ static const char *findvararg (CallInfo *ci, int n, StkId *pos) {
+   int nparams = clLvalue(ci->func)->p->numparams;
+-  if (n >= ci->u.l.base - ci->func - nparams)
++  int nvararg = ci->u.l.base - ci->func - nparams;
++  if (n <= -nvararg)
+     return NULL;  /* no such vararg */
+   else {
+-    *pos = ci->func + nparams + n;
++    *pos = ci->func + nparams - n;
+     return "(*vararg)";  /* generic name for any vararg */
+   }
+ }
+@@ -148,7 +149,7 @@ static const char *findlocal (lua_State *L, CallInfo *ci, int n,
+   StkId base;
+   if (isLua(ci)) {
+     if (n < 0)  /* access to vararg values? */
+-      return findvararg(ci, -n, pos);
++      return findvararg(ci, n, pos);
+     else {
+       base = ci->u.l.base;
+       name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci));

syslinux.spec

@@ -2,7 +2,7 @@
 
 Name:           syslinux
 Version:        6.04
-Release:        12
+Release:        17
 License:        GPLv2+
 Summary:        The Syslinux boot loader collection
 URL:            http://syslinux.zytor.com/wiki/index.php/The_Syslinux_Project
@@ -26,6 +26,9 @@ Patch0003:      0003-include-sysmacros-h.patch
 Patch0004:      backport-replace-builtin-strlen-that-appears-to-get-optimized.patch
 Patch0005:      backport-add-RPMOPTFLAGS-to-CFLAGS-for-some-stuff.patch
 Patch0006:      backport-tweak-for-gcc-10.patch
+Patch0007:      backport-zlib-update.patch
+Patch0008:      backport-libpng-update-to-1.6.36.patch
+Patch0009:      backport-CVE-2020-24370.patch
 
 %description
 The Syslinux Project covers lightweight bootloaders for MS-DOS FAT filesystems (SYSLINUX),
@@ -121,7 +124,7 @@ fi
 %files
 %doc COPYING NEWS README*
 %doc doc/* sample
-%{_mandir}/man1/{gethostip*,extlinux*,isohybrid*,memdiskfind*,syslinux.1.gz}
+%{_mandir}/man1/{gethostip*,isohybrid*,memdiskfind*,syslinux.1.gz}
 %{_datadir}/doc/syslinux/sample/sample.msg 
 %{_bindir}/{gethostip,isohybrid,memdiskfind,syslinux}
 %dir %{_datadir}/syslinux/dosutil
@@ -142,6 +145,7 @@ fi
 %{_datadir}/syslinux/com32/*
 
 %files extlinux
+%{_mandir}/man1/extlinux*
 /sbin/extlinux
 %config /etc/extlinux.conf
 
@@ -160,6 +164,23 @@ fi
 %{_datadir}/syslinux/efi64
 
 %changelog
+* Wed Mar 12 2025 lingsheng <lingsheng1@h-partners.com> - 6.04-17
+- fix CVE-2020-24370
+
+* Thu Aug 29 2024 lingsheng <lingsheng1@h-partners.com> - 6.04-16
+- update libpng 1.6.36 to fix CVE-2011-2501 CVE-2011-2690 CVE-2011-2691
+- CVE-2011-2692 CVE-2011-3045 CVE-2011-3048 CVE-2012-3425 CVE-2015-7981
+- CVE-2015-8126 CVE-2015-8472 CVE-2015-8540 CVE-2016-10087 CVE-2017-12652
+
+* Thu Aug 01 2024 lingsheng <lingsheng1@h-partners.com> - 6.04-15
+- Clean changelog format, fix yaml
+
+* Tue Jul 11 2023 zhangpan <zhangpan103@h-partners.com> - 6.04-14
+- fix CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843
+
+* Tue May 24 2022 hanhui <hanhui15@h-partners.com> - 6.04-13
+- package the extlinux* file into the syslinux-extlinux.rpm
+
 * Mon Apr 18 2022 hanhui <hanhui15@h-partners.com> - 6.04-12
 - slove duplicate package files
 

syslinux.yaml

@@ -1,4 +1,4 @@
 version_control: git
 src_repo: https://repo.or.cz/syslinux.git
 tag_prefix: syslinux-
-seperator: .
+separator: .