Commit ebd55722 authored by Natanael Copa's avatar Natanael Copa

main/lua5.3: security fix for CVE-2019-6706

fixes #10253
parent 82448d58
......@@ -3,7 +3,7 @@ pkgname=lua5.3
_pkgname=lua
pkgver=5.3.5
_luaver=${pkgname#lua}
pkgrel=1
pkgrel=2
pkgdesc="Powerful light-weight programming language"
url="https://www.lua.org/"
arch="all"
......@@ -17,9 +17,14 @@ source="https://www.lua.org/ftp/$_pkgname-$pkgver.tar.gz
lua-5.3-make.patch
lua-5.3-module_paths.patch
linenoise.patch
CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
"
builddir="$srcdir/$_pkgname-$pkgver"
# secfixes:
# 5.3.5-r2:
# - CVE-2019-6706
prepare() {
default_prepare
cd "$builddir"
......@@ -138,4 +143,5 @@ libs() {
sha512sums="4f9516acc4659dfd0a9e911bfa00c0788f0ad9348e5724fe8fb17aac59e9c0060a64378f82be86f8534e49c6c013e7488ad17321bafcc787831d3d67406bd0f4 lua-5.3.5.tar.gz
1bc6c623024c1738155b30ff9c0edcce0f336edc25aa20c3a1400c859421ea2015d75175cce8d515e055ac3e96028426b74812e04022af18a0ed4c4601556027 lua-5.3-make.patch
bc68772390dc8d8940176af0b9fbacc0af61891b5d27de5f1466a4e7f9b3291a1c08ba5add829bc96b789a53fa5ec2dadaa096ca6eabe54ec27724fa2810940f lua-5.3-module_paths.patch
a2edcf5a41513492edff5fa6e97652e676ceb6c66bb2c6a7e6f345570248d7646167f0172ceb07a74fd9d4a43051ed8244fbd94706dd9f5593f174075592a527 linenoise.patch"
a2edcf5a41513492edff5fa6e97652e676ceb6c66bb2c6a7e6f345570248d7646167f0172ceb07a74fd9d4a43051ed8244fbd94706dd9f5593f174075592a527 linenoise.patch
fde7f5f5a184cd393665c7c8c7ba3c728e1413df5f63dbe60855af13ddd313d9300720298534f4312638ddf59fa678a38f708bce622dd7a2298b4ed87c068ae7 CVE-2019-6706-use-after-free-lua_upvaluejoin.patch"
http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
--- a/src/lapi.c
+++ b/src/lapi.c
@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
int fidx2, int n2) {
- LClosure *f1;
- UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
+ UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
+ if (*up1 == *up2) return; /* Already joined */
+ (*up2)->refcount++;
+ if (upisopen(*up2)) (*up2)->u.open.touched = 1;
+ luaC_upvalbarrier(L, *up2);
luaC_upvdeccount(L, *up1);
*up1 = *up2;
- (*up1)->refcount++;
- if (upisopen(*up1)) (*up1)->u.open.touched = 1;
- luaC_upvalbarrier(L, *up1);
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment