From 10a653b441d3a01a59ed6baaa15267794e4aabc6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Feb 2023 07:54:13 +0000 Subject: [PATCH] import lua-5.4.4-2.el9_1 --- .gitignore | 4 ++-- .lua.metadata | 4 ++-- SOURCES/lua-5.4.2-CVE-2022-33099.patch | 4 ++-- SPECS/lua.spec | 19 +++++++++++++------ 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index da39ea2..1431b81 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/lua-5.3.5.tar.gz -SOURCES/lua-5.4.2-tests.tar.gz -SOURCES/lua-5.4.2.tar.gz +SOURCES/lua-5.4.4-tests.tar.gz +SOURCES/lua-5.4.4.tar.gz diff --git a/.lua.metadata b/.lua.metadata index 817bfa5..71ad1e1 100644 --- a/.lua.metadata +++ b/.lua.metadata @@ -1,3 +1,3 @@ 112eb10ff04d1b4c9898e121d6bdf54a81482447 SOURCES/lua-5.3.5.tar.gz -b75f55632c69f0fff8fa944ac56804a7b8871b94 SOURCES/lua-5.4.2-tests.tar.gz -96d4a21393c94bed286b8dc0568f4bdde8730b22 SOURCES/lua-5.4.2.tar.gz +062af7753cd387eea23052fbcad26616a48acadc SOURCES/lua-5.4.4-tests.tar.gz +03c27684b9d5d9783fb79a7c836ba1cdc5f309cd SOURCES/lua-5.4.4.tar.gz diff --git a/SOURCES/lua-5.4.2-CVE-2022-33099.patch b/SOURCES/lua-5.4.2-CVE-2022-33099.patch index 1a2ba97..39b35ea 100644 --- a/SOURCES/lua-5.4.2-CVE-2022-33099.patch +++ b/SOURCES/lua-5.4.2-CVE-2022-33099.patch @@ -30,8 +30,8 @@ diff -up lua-5.4.2/src/lvm.c.orig lua-5.4.2/src/lvm.c /* collect total length and number of strings */ for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { size_t l = vslen(s2v(top - n - 1)); -- if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) -+ if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { +- if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) ++ if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { + L->top = top - total; /* pop strings to avoid wasting stack */ luaG_runerror(L, "string length overflow"); + } diff --git a/SPECS/lua.spec b/SPECS/lua.spec index 574795d..f7eaff7 100644 --- a/SPECS/lua.spec +++ b/SPECS/lua.spec @@ -1,6 +1,6 @@ %global major_version 5.4 # Normally, this is the same as version, but... not always. -%global test_version 5.4.2 +%global test_version 5.4.4 # If you are incrementing major_version, enable bootstrapping and adjust accordingly. # Version should be the latest prior build. If you don't do this, RPM will break and # everything will grind to a halt. @@ -13,8 +13,8 @@ Name: lua -Version: %{major_version}.2 -Release: 4%{?dist}.3 +Version: %{major_version}.4 +Release: 2%{?dist} Summary: Powerful light-weight programming language License: MIT URL: http://www.lua.org/ @@ -211,13 +211,20 @@ popd %{_libdir}/*.a %changelog -* Fri Oct 21 2022 Michal Domonkos - 5.4.2-4.3 +* Fri Feb 03 2023 Florian Festi - 5.4.4-2 +- Resolves CVE-2021-43519 + +* Tue Jan 24 2023 Florian Festi - 5.4.4-1 +- Rebase to lua 5.4.4 +- Resolves CVE-2021-44964 + +* Tue Oct 25 2022 Michal Domonkos - 5.4.2-7 - Fix up CVE-2022-33099 patch -* Mon Oct 17 2022 Michal Domonkos - 5.4.2-4.2 +* Mon Oct 17 2022 Michal Domonkos - 5.4.2-6 - Enable gating -* Mon Oct 17 2022 Michal Domonkos - 5.4.2-4.1 +* Mon Oct 17 2022 Michal Domonkos - 5.4.2-5 - apply upstream fix for CVE-2022-33099 * Mon Aug 09 2021 Mohan Boddu - 5.4.2-4