From 926225d088a904d9b43e392b1fb00d6907796812 Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Mon, 28 Sep 2020 16:11:38 -0700
Subject: [PATCH 1/3] nopatch lua CVE-2020-15889

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>
---
 SPECS/lua/CVE-2020-15889.nopatch |  1 +
 SPECS/lua/lua.spec               | 56 +++++++++++++++++---------------
 2 files changed, 31 insertions(+), 26 deletions(-)
 create mode 100644 SPECS/lua/CVE-2020-15889.nopatch

diff --git a/SPECS/lua/CVE-2020-15889.nopatch b/SPECS/lua/CVE-2020-15889.nopatch
new file mode 100644
index 00000000000..ff2357d7478
--- /dev/null
+++ b/SPECS/lua/CVE-2020-15889.nopatch
@@ -0,0 +1 @@
+# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 3.3.5 is not affected.
\ No newline at end of file
diff --git a/SPECS/lua/lua.spec b/SPECS/lua/lua.spec
index dc419681c2a..bc2ed099bb1 100644
--- a/SPECS/lua/lua.spec
+++ b/SPECS/lua/lua.spec
@@ -4,7 +4,7 @@
 Summary:        Programming language
 Name:           lua
 Version:        5.3.5
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        MIT
 URL:            https://www.lua.org
 Group:          Development/Tools
@@ -13,6 +13,8 @@ Distribution:   Mariner
 Source0:        https://www.lua.org/ftp/%{name}-%{version}.tar.gz
 Source1:        %{LICENSE_PATH}
 Patch0:         lua-5.3.4-shared_library-1.patch
+# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 3.3.5 is not affected.
+Patch1:         CVE-2020-15889.nopatch
 BuildRequires:  readline-devel
 Requires:       readline
 
@@ -22,8 +24,8 @@ applications. Lua is also frequently used as a general-purpose, stand-alone
 language. Lua is free software
 
 %package devel
-Summary:	Libraries and header files for lua
-Requires:	%{name} = %{version}
+Summary:    Libraries and header files for lua
+Requires:   %{name} = %{version}
 %description devel
 Static libraries and header files for the support library for lua
 
@@ -39,33 +41,33 @@ make V=%{majmin} R=%{version} VERBOSE=1 %{?_smp_mflags} linux
 
 %install
 make %{?_smp_mflags} \
-	V=%{majmin} \
-	R=%{version} \
-	INSTALL_TOP=%{buildroot}/usr TO_LIB="liblua.so \
-	liblua.so.%{majmin} liblua.so.%{version}" \
-	INSTALL_DATA="cp -d" \
-	INSTALL_MAN=%{buildroot}/usr/share/man/man1 \
-	install
+    V=%{majmin} \
+    R=%{version} \
+    INSTALL_TOP=%{buildroot}/usr TO_LIB="liblua.so \
+    liblua.so.%{majmin} liblua.so.%{version}" \
+    INSTALL_DATA="cp -d" \
+    INSTALL_MAN=%{buildroot}/usr/share/man/man1 \
+    install
 install -vdm 755 %{buildroot}%{_libdir}/pkgconfig
 cat > %{buildroot}%{_libdir}/pkgconfig/lua.pc <<- "EOF"
-	V=%{majmin}
-	R=%{version}
+    V=%{majmin}
+    R=%{version}
 
-	prefix=/usr
-	INSTALL_BIN=${prefix}/bin
-	INSTALL_INC=${prefix}/include
-	INSTALL_LIB=${prefix}/lib
-	INSTALL_MAN=${prefix}/man/man1
-	exec_prefix=${prefix}
-	libdir=${exec_prefix}/lib
-	includedir=${prefix}/include
+    prefix=/usr
+    INSTALL_BIN=${prefix}/bin
+    INSTALL_INC=${prefix}/include
+    INSTALL_LIB=${prefix}/lib
+    INSTALL_MAN=${prefix}/man/man1
+    exec_prefix=${prefix}
+    libdir=${exec_prefix}/lib
+    includedir=${prefix}/include
 
-	Name: Lua
-	Description: An Extensible Extension Language
-	Version: ${R}
-	Requires:
-	Libs: -L${libdir} -llua -lm
-	Cflags: -I${includedir}
+    Name: Lua
+    Description: An Extensible Extension Language
+    Version: ${R}
+    Requires:
+    Libs: -L${libdir} -llua -lm
+    Cflags: -I${includedir}
 EOF
 rmdir %{buildroot}%{_libdir}/lua/5.3
 rmdir %{buildroot}%{_libdir}/lua
@@ -91,6 +93,8 @@ rm -rf %{buildroot}
 %{_libdir}/liblua.so
 
 %changelog
+*   Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.3.5-7
+-   Nopatch CVE-2020-15889 since it only affects 5.4.0
 *   Tue Aug 11 2020 Mateusz Malisz <mamalisz@microsoft.com> 5.3.5-6
 -   Append -fPIC and -O2 to CFLAGS to fix build issues.
 *   Fri Jul 31 2020 Leandro Pereira <leperei@microsoft.com> 5.3.5-5

From 77d4198903772e6c3483ee71a3a75e19871b3ffc Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Mon, 28 Sep 2020 16:35:38 -0700
Subject: [PATCH 2/3] Update manifests

---
 toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +-
 toolkit/resources/manifests/package/pkggen_core_x86_64.txt  | 2 +-
 toolkit/resources/manifests/package/toolchain_aarch64.txt   | 6 +++---
 toolkit/resources/manifests/package/toolchain_x86_64.txt    | 6 +++---
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index d5c3f5aa934..54216ebdd1b 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -144,7 +144,7 @@ libltdl-2.4.6-5.cm1.aarch64.rpm
 libltdl-devel-2.4.6-5.cm1.aarch64.rpm
 pcre-libs-8.42-4.cm1.aarch64.rpm
 krb5-1.17-3.cm1.aarch64.rpm
-lua-5.3.5-6.cm1.aarch64.rpm
+lua-5.3.5-7.cm1.aarch64.rpm
 mariner-rpm-macros-1.0-3.cm1.noarch.rpm
 mariner-check-macros-1.0-3.cm1.noarch.rpm
 libassuan-2.5.1-3.cm1.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 371162444a5..18f3cea38de 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -144,7 +144,7 @@ libltdl-2.4.6-5.cm1.x86_64.rpm
 libltdl-devel-2.4.6-5.cm1.x86_64.rpm
 pcre-libs-8.42-4.cm1.x86_64.rpm
 krb5-1.17-3.cm1.x86_64.rpm
-lua-5.3.5-6.cm1.x86_64.rpm
+lua-5.3.5-7.cm1.x86_64.rpm
 mariner-rpm-macros-1.0-3.cm1.noarch.rpm
 mariner-check-macros-1.0-3.cm1.noarch.rpm
 libassuan-2.5.1-3.cm1.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 2799b0b2ffd..e007bbd8bc7 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -225,9 +225,9 @@ libxml2-python-2.9.10-2.cm1.aarch64.rpm
 libxslt-1.1.34-2.cm1.aarch64.rpm
 libxslt-debuginfo-1.1.34-2.cm1.aarch64.rpm
 libxslt-devel-1.1.34-2.cm1.aarch64.rpm
-lua-5.3.5-6.cm1.aarch64.rpm
-lua-debuginfo-5.3.5-6.cm1.aarch64.rpm
-lua-devel-5.3.5-6.cm1.aarch64.rpm
+lua-5.3.5-7.cm1.aarch64.rpm
+lua-debuginfo-5.3.5-7.cm1.aarch64.rpm
+lua-devel-5.3.5-7.cm1.aarch64.rpm
 lvm2-2.03.05-5.cm1.aarch64.rpm
 lvm2-debuginfo-2.03.05-5.cm1.aarch64.rpm
 lvm2-devel-2.03.05-5.cm1.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index b60f46796cd..bf7f3e28bfd 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -225,9 +225,9 @@ libxml2-python-2.9.10-2.cm1.x86_64.rpm
 libxslt-1.1.34-2.cm1.x86_64.rpm
 libxslt-debuginfo-1.1.34-2.cm1.x86_64.rpm
 libxslt-devel-1.1.34-2.cm1.x86_64.rpm
-lua-5.3.5-6.cm1.x86_64.rpm
-lua-debuginfo-5.3.5-6.cm1.x86_64.rpm
-lua-devel-5.3.5-6.cm1.x86_64.rpm
+lua-5.3.5-7.cm1.x86_64.rpm
+lua-debuginfo-5.3.5-7.cm1.x86_64.rpm
+lua-devel-5.3.5-7.cm1.x86_64.rpm
 lvm2-2.03.05-5.cm1.x86_64.rpm
 lvm2-debuginfo-2.03.05-5.cm1.x86_64.rpm
 lvm2-devel-2.03.05-5.cm1.x86_64.rpm

From 0f14d52d5a3ea457c0e2c0419ec08c22cee20ee5 Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Tue, 29 Sep 2020 13:26:26 -0700
Subject: [PATCH 3/3] Fix version typo

---
 SPECS/lua/CVE-2020-15889.nopatch | 2 +-
 SPECS/lua/lua.spec               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/SPECS/lua/CVE-2020-15889.nopatch b/SPECS/lua/CVE-2020-15889.nopatch
index ff2357d7478..1948f0f20a2 100644
--- a/SPECS/lua/CVE-2020-15889.nopatch
+++ b/SPECS/lua/CVE-2020-15889.nopatch
@@ -1 +1 @@
-# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 3.3.5 is not affected.
\ No newline at end of file
+# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 5.3.5 is not affected.
\ No newline at end of file
diff --git a/SPECS/lua/lua.spec b/SPECS/lua/lua.spec
index bc2ed099bb1..5f1460ff2e6 100644
--- a/SPECS/lua/lua.spec
+++ b/SPECS/lua/lua.spec
@@ -13,7 +13,7 @@ Distribution:   Mariner
 Source0:        https://www.lua.org/ftp/%{name}-%{version}.tar.gz
 Source1:        %{LICENSE_PATH}
 Patch0:         lua-5.3.4-shared_library-1.patch
-# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 3.3.5 is not affected.
+# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 5.3.5 is not affected.
 Patch1:         CVE-2020-15889.nopatch
 BuildRequires:  readline-devel
 Requires:       readline