Gentoo Archives: gentoo-commits

From: David Seifert <soap@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-lang/lua/files/, dev-lang/lua/
Date: Mon, 26 Sep 2022 15:43:51
Message-Id: 1664207014.4fb0d3e7e9eafdd19a6931dce5948016ddc351e0.soap@gentoo
1 commit: 4fb0d3e7e9eafdd19a6931dce5948016ddc351e0
2 Author: Federico Denkena <federico.denkena <AT> posteo <DOT> de>
3 AuthorDate: Mon Sep 26 15:43:34 2022 +0000
4 Commit: David Seifert <soap <AT> gentoo <DOT> org>
5 CommitDate: Mon Sep 26 15:43:34 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fb0d3e7
7
8 dev-lang/lua: Fix for CVE-2022-28805
9
10 This commit fixes CVE-2022-28805 (patch from upstream, slightly modified
11 due to changed file paths in gentoo).
12
13 Closes: https://github.com/gentoo/gentoo/pull/27423
14 Bug: https://bugs.gentoo.org/837521
15 Signed-off-by: Federico Denkena <federico.denkena <AT> posteo.de>
16 Signed-off-by: David Seifert <soap <AT> gentoo.org>
17
18 .../lua/files/lua-5.4.4-lparser-overread.patch | 34 ++++++++++++++++++++++
19 ...lua-5.4.4-r102.ebuild => lua-5.4.4-r103.ebuild} | 4 +++
20 2 files changed, 38 insertions(+)
21
22 diff --git a/dev-lang/lua/files/lua-5.4.4-lparser-overread.patch b/dev-lang/lua/files/lua-5.4.4-lparser-overread.patch
23 new file mode 100644
24 index 000000000000..3e625aa4ffc0
25 --- /dev/null
26 +++ b/dev-lang/lua/files/lua-5.4.4-lparser-overread.patch
27 @@ -0,0 +1,34 @@
28 +From https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
29 +From: Roberto Ierusalimschy <roberto@×××××××××××.br>
30 +Date: Tue, 15 Feb 2022 12:28:46 -0300
31 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
32 +
33 +--- a/src/lparser.c
34 ++++ b/src/lparser.c
35 +@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
36 + expdesc key;
37 + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
38 + lua_assert(var->k != VVOID); /* this one must exist */
39 ++ luaK_exp2anyregup(fs, var); /* but could be a constant */
40 + codestring(&key, varname); /* key is variable name */
41 + luaK_indexed(fs, var, &key); /* env[varname] */
42 + }
43 +--- a/tests/attrib.lua
44 ++++ b/tests/attrib.lua
45 +@@ -434,6 +434,16 @@ a.aVeryLongName012345678901234567890123456789012345678901234567890123456789 ==
46 + 10)
47 +
48 +
49 ++do
50 ++ -- _ENV constant
51 ++ local function foo ()
52 ++ local _ENV <const> = 11
53 ++ X = "hi"
54 ++ end
55 ++ local st, msg = pcall(foo)
56 ++ assert(not st and string.find(msg, "number"))
57 ++end
58 ++
59 +
60 + -- test of large float/integer indices
61 +
62
63 diff --git a/dev-lang/lua/lua-5.4.4-r102.ebuild b/dev-lang/lua/lua-5.4.4-r103.ebuild
64 similarity index 96%
65 rename from dev-lang/lua/lua-5.4.4-r102.ebuild
66 rename to dev-lang/lua/lua-5.4.4-r103.ebuild
67 index 1667e6078222..6d39113fa1a3 100644
68 --- a/dev-lang/lua/lua-5.4.4-r102.ebuild
69 +++ b/dev-lang/lua/lua-5.4.4-r103.ebuild
70 @@ -22,6 +22,10 @@ DEPEND="
71 RDEPEND="${DEPEND}"
72 BDEPEND="virtual/pkgconfig"
73
74 +PATCHES=(
75 + "${FILESDIR}/${P}-lparser-overread.patch"
76 +)
77 +
78 src_prepare() {
79 default