From 4fb0d3e7e9eafdd19a6931dce5948016ddc351e0 Mon Sep 17 00:00:00 2001 From: Federico Denkena Date: Mon, 26 Sep 2022 17:43:34 +0200 Subject: dev-lang/lua: Fix for CVE-2022-28805 This commit fixes CVE-2022-28805 (patch from upstream, slightly modified due to changed file paths in gentoo). Closes: https://github.com/gentoo/gentoo/pull/27423 Bug: https://bugs.gentoo.org/837521 Signed-off-by: Federico Denkena Signed-off-by: David Seifert --- .../lua/files/lua-5.4.4-lparser-overread.patch | 34 ++++++++++++++ dev-lang/lua/lua-5.4.4-r102.ebuild | 50 -------------------- dev-lang/lua/lua-5.4.4-r103.ebuild | 54 ++++++++++++++++++++++ 3 files changed, 88 insertions(+), 50 deletions(-) create mode 100644 dev-lang/lua/files/lua-5.4.4-lparser-overread.patch delete mode 100644 dev-lang/lua/lua-5.4.4-r102.ebuild create mode 100644 dev-lang/lua/lua-5.4.4-r103.ebuild (limited to 'dev-lang') diff --git a/dev-lang/lua/files/lua-5.4.4-lparser-overread.patch b/dev-lang/lua/files/lua-5.4.4-lparser-overread.patch new file mode 100644 index 000000000000..3e625aa4ffc0 --- /dev/null +++ b/dev-lang/lua/files/lua-5.4.4-lparser-overread.patch @@ -0,0 +1,34 @@ +From https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is + +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) { + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(&key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } +--- a/tests/attrib.lua ++++ b/tests/attrib.lua +@@ -434,6 +434,16 @@ a.aVeryLongName012345678901234567890123456789012345678901234567890123456789 == + 10) + + ++do ++ -- _ENV constant ++ local function foo () ++ local _ENV = 11 ++ X = "hi" ++ end ++ local st, msg = pcall(foo) ++ assert(not st and string.find(msg, "number")) ++end ++ + + -- test of large float/integer indices + diff --git a/dev-lang/lua/lua-5.4.4-r102.ebuild b/dev-lang/lua/lua-5.4.4-r102.ebuild deleted file mode 100644 index 1667e6078222..000000000000 --- a/dev-lang/lua/lua-5.4.4-r102.ebuild +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit flag-o-matic optfeature - -DESCRIPTION="A powerful light-weight programming language designed for extending applications" -HOMEPAGE="https://www.lua.org/" -# tarballs produced from ${PV} branches in https://gitweb.gentoo.org/proj/lua-patches.git -SRC_URI="https://dev.gentoo.org/~soap/distfiles/${P}.tar.xz" - -LICENSE="MIT" -SLOT="5.4" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -IUSE="+deprecated readline" - -DEPEND=" - >=app-eselect/eselect-lua-3 - readline? ( sys-libs/readline:= ) - !dev-lang/lua:0" -RDEPEND="${DEPEND}" -BDEPEND="virtual/pkgconfig" - -src_prepare() { - default - - if use elibc_musl; then - # locales on musl are non-functional (#834153) - # https://wiki.musl-libc.org/open-issues.html#Locale-limitations - sed -e 's|os.setlocale("pt_BR") or os.setlocale("ptb")|false|g' \ - -i tests/literals.lua || die - fi -} - -src_configure() { - use deprecated && append-cppflags -DLUA_COMPAT_5_3 - econf $(use_with readline) -} - -src_install() { - default - find "${ED}" -name '*.la' -delete || die -} - -pkg_postinst() { - eselect lua set --if-unset "${PN}${SLOT}" - - optfeature "Lua support for Emacs" app-emacs/lua-mode -} diff --git a/dev-lang/lua/lua-5.4.4-r103.ebuild b/dev-lang/lua/lua-5.4.4-r103.ebuild new file mode 100644 index 000000000000..6d39113fa1a3 --- /dev/null +++ b/dev-lang/lua/lua-5.4.4-r103.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit flag-o-matic optfeature + +DESCRIPTION="A powerful light-weight programming language designed for extending applications" +HOMEPAGE="https://www.lua.org/" +# tarballs produced from ${PV} branches in https://gitweb.gentoo.org/proj/lua-patches.git +SRC_URI="https://dev.gentoo.org/~soap/distfiles/${P}.tar.xz" + +LICENSE="MIT" +SLOT="5.4" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="+deprecated readline" + +DEPEND=" + >=app-eselect/eselect-lua-3 + readline? ( sys-libs/readline:= ) + !dev-lang/lua:0" +RDEPEND="${DEPEND}" +BDEPEND="virtual/pkgconfig" + +PATCHES=( + "${FILESDIR}/${P}-lparser-overread.patch" +) + +src_prepare() { + default + + if use elibc_musl; then + # locales on musl are non-functional (#834153) + # https://wiki.musl-libc.org/open-issues.html#Locale-limitations + sed -e 's|os.setlocale("pt_BR") or os.setlocale("ptb")|false|g' \ + -i tests/literals.lua || die + fi +} + +src_configure() { + use deprecated && append-cppflags -DLUA_COMPAT_5_3 + econf $(use_with readline) +} + +src_install() { + default + find "${ED}" -name '*.la' -delete || die +} + +pkg_postinst() { + eselect lua set --if-unset "${PN}${SLOT}" + + optfeature "Lua support for Emacs" app-emacs/lua-mode +} -- cgit v1.2.3-65-gdbad