main/lua5.3: security fix for CVE-2019-6706

fixes #10252
author: Natanael Copa <ncopa@alpinelinux.org> 2019-05-06 17:03:40 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-05-06 17:03:40 +0000
commit: 7571f6ce08088d0644c95da6b1c4a780078951a8 (patch)
tree: 3c3cbde408dd03180f233e44760c6f3498a3c1b1
parent: 302749e2d5084f8f091e4614d4393b0d98961c7d (diff)
download: aports-7571f6ce08088d0644c95da6b1c4a780078951a8.tar.bz2
aports-7571f6ce08088d0644c95da6b1c4a780078951a8.tar.xz
2 files changed, 32 insertions, 2 deletions
diff --git a/main/lua5.3/APKBUILD b/main/lua5.3/APKBUILD
index b766890dcd..3c9bc989c3 100644
--- a/main/lua5.3/APKBUILD
+++ b/main/lua5.3/APKBUILD
@@ -3,7 +3,7 @@ pkgname=lua5.3
 _pkgname=lua
 pkgver=5.3.5
 _luaver=${pkgname#lua}
-pkgrel=1
+pkgrel=2
 pkgdesc="Powerful light-weight programming language"
 url="https://www.lua.org/"
 arch="all"
@@ -17,9 +17,14 @@ source="https://www.lua.org/ftp/$_pkgname-$pkgver.tar.gz
 	lua-5.3-make.patch
 	lua-5.3-module_paths.patch
 	linenoise.patch
+	CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
 	"
 builddir="$srcdir/$_pkgname-$pkgver"
 
+# secfixes:
+#   5.3.5-r2:
+#   - CVE-2019-6706
+
 prepare() {
 	default_prepare
 	cd "$builddir"
@@ -138,4 +143,5 @@ libs() {
 sha512sums="4f9516acc4659dfd0a9e911bfa00c0788f0ad9348e5724fe8fb17aac59e9c0060a64378f82be86f8534e49c6c013e7488ad17321bafcc787831d3d67406bd0f4  lua-5.3.5.tar.gz
 1bc6c623024c1738155b30ff9c0edcce0f336edc25aa20c3a1400c859421ea2015d75175cce8d515e055ac3e96028426b74812e04022af18a0ed4c4601556027  lua-5.3-make.patch
 bc68772390dc8d8940176af0b9fbacc0af61891b5d27de5f1466a4e7f9b3291a1c08ba5add829bc96b789a53fa5ec2dadaa096ca6eabe54ec27724fa2810940f  lua-5.3-module_paths.patch
-a2edcf5a41513492edff5fa6e97652e676ceb6c66bb2c6a7e6f345570248d7646167f0172ceb07a74fd9d4a43051ed8244fbd94706dd9f5593f174075592a527  linenoise.patch"
+a2edcf5a41513492edff5fa6e97652e676ceb6c66bb2c6a7e6f345570248d7646167f0172ceb07a74fd9d4a43051ed8244fbd94706dd9f5593f174075592a527  linenoise.patch
+0cb3f6e2d8e88d3619fba99af2ae7145b0a51a9e3706e74192afd7e7804e774fc74605a54890911a991a834eb517722767871922ae5b00adfdb5c8d1d13bfa6e  CVE-2019-6706-use-after-free-lua_upvaluejoin.patch"
diff --git a/main/lua5.3/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch b/main/lua5.3/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
new file mode 100644
index 0000000000..74ceb6eac8
--- /dev/null
+++ b/main/lua5.3/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
@@ -0,0 +1,24 @@
+http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
+
+--- a/src/lapi.c
++++ b/src/lapi.c
+@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
+ 
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
++  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
+   UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
++  if (*up1 == *up2) return; /* Already joined */
++  (*up2)->refcount++;
++  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
++  luaC_upvalbarrier(L, *up2);
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+-  (*up1)->refcount++;
+-  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
+-  luaC_upvalbarrier(L, *up1);
+ }
+ 
+
author	Natanael Copa <ncopa@alpinelinux.org>	2019-05-06 17:03:40 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-05-06 17:03:40 +0000
commit	7571f6ce08088d0644c95da6b1c4a780078951a8 (patch)
tree	3c3cbde408dd03180f233e44760c6f3498a3c1b1
parent	302749e2d5084f8f091e4614d4393b0d98961c7d (diff)
download	aports-7571f6ce08088d0644c95da6b1c4a780078951a8.tar.bz2 aports-7571f6ce08088d0644c95da6b1c4a780078951a8.tar.xz