summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <AWilcox@Wilcox-Tech.com>2020-09-23 03:25:04 +0000
committerA. Wilcox <AWilcox@Wilcox-Tech.com>2020-09-23 03:25:04 +0000
commite0ff67df53d0141688036ece17d592c58b77261d (patch)
tree296a7c5668bd9d4b9a8c094aa84c22e976140e1f
parent3c4177d97553636bbfb373c2d0e9c3448a772a74 (diff)
downloadpackages-e0ff67df53d0141688036ece17d592c58b77261d.tar.gz
packages-e0ff67df53d0141688036ece17d592c58b77261d.tar.bz2
packages-e0ff67df53d0141688036ece17d592c58b77261d.tar.xz
packages-e0ff67df53d0141688036ece17d592c58b77261d.zip
system/lua5.3: Patch CVE-2020-24370
-rw-r--r--system/lua5.3/APKBUILD10
-rw-r--r--system/lua5.3/CVE-2020-24370.patch36
2 files changed, 43 insertions, 3 deletions
diff --git a/system/lua5.3/APKBUILD b/system/lua5.3/APKBUILD
index 11e7b4e06..5786668d5 100644
--- a/system/lua5.3/APKBUILD
+++ b/system/lua5.3/APKBUILD
@@ -3,7 +3,7 @@ pkgname=lua5.3
_pkgname=lua
pkgver=5.3.5
_luaver=${pkgname#lua}
-pkgrel=1
+pkgrel=2
pkgdesc="Embeddable programming language"
url="https://www.lua.org/"
arch="all"
@@ -19,12 +19,15 @@ source="https://www.lua.org/ftp/$_pkgname-$pkgver.tar.gz
lua-5.3-module_paths.patch
linenoise.patch
CVE-2019-6706.patch
+ CVE-2020-24370.patch
"
builddir="$srcdir/$_pkgname-$pkgver"
# secfixes: lua
+# 5.3.5-r2:
+# - CVE-2020-24370
# 5.3.5-r1:
-# - CVE-2019-6706.patch
+# - CVE-2019-6706
prepare() {
default_prepare
@@ -132,4 +135,5 @@ sha512sums="4f9516acc4659dfd0a9e911bfa00c0788f0ad9348e5724fe8fb17aac59e9c0060a64
1bc6c623024c1738155b30ff9c0edcce0f336edc25aa20c3a1400c859421ea2015d75175cce8d515e055ac3e96028426b74812e04022af18a0ed4c4601556027 lua-5.3-make.patch
bc68772390dc8d8940176af0b9fbacc0af61891b5d27de5f1466a4e7f9b3291a1c08ba5add829bc96b789a53fa5ec2dadaa096ca6eabe54ec27724fa2810940f lua-5.3-module_paths.patch
49880d1131b7bd2a3169a26f401769a91d9a6a62cefe68aa5a89097139289588b7ef753535a2d0ba7f45c0369c760554940fd810716b7b1353deace32432fcfe linenoise.patch
-77755c083630d48404178012d5947230675311a15f0f5e30efa72004edf3124615fa9080b739240213c013efb015689e09ee653a41d560964a3df78a8fe0fd8d CVE-2019-6706.patch"
+77755c083630d48404178012d5947230675311a15f0f5e30efa72004edf3124615fa9080b739240213c013efb015689e09ee653a41d560964a3df78a8fe0fd8d CVE-2019-6706.patch
+0c28366d352e3e6660413d16c1deaa0b1c6070170c13d95ae7a48b6b39c728a16d3f2a6068f665b3ec3e17f4f69d006625af074a4ddb51c8f3845d567c0dd809 CVE-2020-24370.patch"
diff --git a/system/lua5.3/CVE-2020-24370.patch b/system/lua5.3/CVE-2020-24370.patch
new file mode 100644
index 000000000..0bfce24b1
--- /dev/null
+++ b/system/lua5.3/CVE-2020-24370.patch
@@ -0,0 +1,36 @@
+From b5bc89846721375fe30772eb8c5ab2786f362bf9 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Mon, 3 Aug 2020 16:25:28 -0300
+Subject: [PATCH] Fixed bug: Negation overflow in getlocal/setlocal
+
+---
+ ldebug.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/ldebug.c b/ldebug.c
+index e1389296e..bb0e1d4ac 100644
+--- a/src/ldebug.c
++++ b/src/ldebug.c
+@@ -133,10 +133,11 @@ static const char *upvalname (Proto *p, int uv) {
+
+ static const char *findvararg (CallInfo *ci, int n, StkId *pos) {
+ int nparams = clLvalue(ci->func)->p->numparams;
+- if (n >= cast_int(ci->u.l.base - ci->func) - nparams)
++ int nvararg = cast_int(ci->u.l.base - ci->func) - nparams;
++ if (n <= -nvararg)
+ return NULL; /* no such vararg */
+ else {
+- *pos = ci->func + nparams + n;
++ *pos = ci->func + nparams - n;
+ return "(*vararg)"; /* generic name for any vararg */
+ }
+ }
+@@ -148,7 +149,7 @@ static const char *findlocal (lua_State *L, CallInfo *ci, int n,
+ StkId base;
+ if (isLua(ci)) {
+ if (n < 0) /* access to vararg values? */
+- return findvararg(ci, -n, pos);
++ return findvararg(ci, n, pos);
+ else {
+ base = ci->u.l.base;
+ name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci));