microsoft · dmcilvaney · Oct 21, 2020 · Oct 1, 2020 · Oct 21, 2020
@@ -0,0 +1,22 @@
+--- a/src/lapi.c
++++ b/src/lapi.c
+@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
+
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
++  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
+   UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
++  if (*up1 == *up2) return; /* Already joined */
++  (*up2)->refcount++;
++  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
++  luaC_upvalbarrier(L, *up2);
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+-  (*up1)->refcount++;
+-  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
+-  luaC_upvalbarrier(L, *up1);
+ }
+
+
@@ -0,0 +1,34 @@
+From 6298903e35217ab69c279056f925fb72900ce0b7 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Mon, 6 Jul 2020 12:11:54 -0300
+Subject: [PATCH] Keep minimum size when shrinking a stack
+
+When shrinking a stack (during GC), do not make it smaller than the
+initial stack size.
+---
+ src/ldo.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/ldo.c b/ldo.c
+index c563b1d9..a89ac010 100644
+--- a/src/ldo.c
++++ b/src/ldo.c
+@@ -220,7 +220,7 @@ static int stackinuse (lua_State *L) {
+
+ void luaD_shrinkstack (lua_State *L) {
+   int inuse = stackinuse(L);
+-  int goodsize = inuse + (inuse / 8) + 2*EXTRA_STACK;
++  int goodsize = inuse + BASIC_STACK_SIZE;
+   if (goodsize > LUAI_MAXSTACK)
+     goodsize = LUAI_MAXSTACK;  /* respect stack limit */
+   if (L->stacksize > LUAI_MAXSTACK)  /* had been handling stack overflow? */
+@@ -229,8 +229,7 @@ void luaD_shrinkstack (lua_State *L) {
+     luaE_shrinkCI(L);  /* shrink list */
+   /* if thread is currently not handling a stack overflow and its
+      good size is smaller than current size, shrink its stack */
+-  if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) &&
+-      goodsize < L->stacksize)
++  if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) && goodsize < L->stacksize)
+     luaD_reallocstack(L, goodsize);
+   else  /* don't change stack */
+     condmovestack(L,{},{});  /* (change only for debugging) */
@@ -1 +1,3 @@
-# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 5.3.5 is not affected.
+# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 5.3.5 is not affected.
+# NOTE: Patches needed if updating to 5.4:
+#   - 127e7a6c8942b362aa3c6627f44d660a4fb75312
@@ -0,0 +1,3 @@
+# CVE-2020-24342 appears to not affect 5.3.5 (no repro of exploit)
+# NOTE: Patches needed if updating to 5.4:
+#   - 34affe7a63fc5d842580a9f23616d057e17dfe27
@@ -4,7 +4,7 @@
 Summary:        Programming language
 Name:           lua
 Version:        5.3.5
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        MIT
 URL:            https://www.lua.org
 Group:          Development/Tools
@@ -13,8 +13,22 @@ Distribution:   Mariner
 Source0:        https://www.lua.org/ftp/%{name}-%{version}.tar.gz
 Source1:        %{LICENSE_PATH}
 Patch0:         lua-5.3.4-shared_library-1.patch
+# CVE-2020-15888 patch taken from Open Embedded's Lua meta layer https://github.com/openembedded/meta-openembedded/blob/master/meta-oe/recipes-devtools/lua/lua/CVE-2020-15888.patch
+# NOTE: Upstream patches needed if updating to 5.4:
+#   - eb41999461b6f428186c55abd95f4ce1a76217d5
+#   - 6298903e35217ab69c279056f925fb72900ce0b7
+Patch1:         CVE-2020-15888.patch
 # CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 5.3.5 is not affected.
-Patch1:         CVE-2020-15889.nopatch
+# NOTE: Patches needed if updating to 5.4:
+#   - 127e7a6c8942b362aa3c6627f44d660a4fb75312
+Patch2:         CVE-2020-15889.nopatch
+# CVE-2020-24342 appears to not affect 5.3.5 (no repro of exploit)
+# NOTE: Patches needed if updating to 5.4:
+#   - 34affe7a63fc5d842580a9f23616d057e17dfe27
+Patch3:         CVE-2020-24342.nopatch
+# From http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tt7685575.html
+Patch4:         CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
+
 BuildRequires:  readline-devel
 Requires:       readline
 
@@ -32,6 +46,8 @@ Static libraries and header files for the support library for lua
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
+%patch4 -p1
 sed -i '/#define LUA_ROOT/s:/usr/local/:/usr/:' src/luaconf.h
 sed -i 's/CFLAGS= -fPIC -O2 /CFLAGS+= -fPIC -O2 -DLUA_COMPAT_MODULE /' src/Makefile
 cp %{SOURCE1} ./
@@ -93,6 +109,10 @@ rm -rf %{buildroot}
 %{_libdir}/liblua.so
 
 %changelog
+*   Thu Oct 01 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.3.5-8
+-   Nopatch CVE-2020-24342
+-   Apply patch for CVE-2019-6706 from Lua mailing list
+-   Apply patch for CVE-2020-15888 from Open Embedded
 *   Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.3.5-7
 -   Nopatch CVE-2020-15889 since it only affects 5.4.0
 *   Tue Aug 11 2020 Mateusz Malisz <mamalisz@microsoft.com> 5.3.5-6

@@ -144,7 +144,7 @@ libltdl-2.4.6-5.cm1.aarch64.rpm
 libltdl-devel-2.4.6-5.cm1.aarch64.rpm
 pcre-libs-8.42-4.cm1.aarch64.rpm
 krb5-1.17-4.cm1.aarch64.rpm
-lua-5.3.5-7.cm1.aarch64.rpm
+lua-5.3.5-8.cm1.aarch64.rpm
 mariner-rpm-macros-1.0-3.cm1.noarch.rpm
 mariner-check-macros-1.0-3.cm1.noarch.rpm
 libassuan-2.5.1-3.cm1.aarch64.rpm

@@ -144,7 +144,7 @@ libltdl-2.4.6-5.cm1.x86_64.rpm
 libltdl-devel-2.4.6-5.cm1.x86_64.rpm
 pcre-libs-8.42-4.cm1.x86_64.rpm
 krb5-1.17-4.cm1.x86_64.rpm
-lua-5.3.5-7.cm1.x86_64.rpm
+lua-5.3.5-8.cm1.x86_64.rpm
 mariner-rpm-macros-1.0-3.cm1.noarch.rpm
 mariner-check-macros-1.0-3.cm1.noarch.rpm
 libassuan-2.5.1-3.cm1.x86_64.rpm

@@ -225,9 +225,9 @@ libxml2-python-2.9.10-2.cm1.aarch64.rpm
 libxslt-1.1.34-2.cm1.aarch64.rpm
 libxslt-debuginfo-1.1.34-2.cm1.aarch64.rpm
 libxslt-devel-1.1.34-2.cm1.aarch64.rpm
-lua-5.3.5-7.cm1.aarch64.rpm
-lua-debuginfo-5.3.5-7.cm1.aarch64.rpm
-lua-devel-5.3.5-7.cm1.aarch64.rpm
+lua-5.3.5-8.cm1.aarch64.rpm
+lua-debuginfo-5.3.5-8.cm1.aarch64.rpm
+lua-devel-5.3.5-8.cm1.aarch64.rpm
 lvm2-2.03.05-5.cm1.aarch64.rpm
 lvm2-debuginfo-2.03.05-5.cm1.aarch64.rpm
 lvm2-devel-2.03.05-5.cm1.aarch64.rpm

@@ -225,9 +225,9 @@ libxml2-python-2.9.10-2.cm1.x86_64.rpm
 libxslt-1.1.34-2.cm1.x86_64.rpm
 libxslt-debuginfo-1.1.34-2.cm1.x86_64.rpm
 libxslt-devel-1.1.34-2.cm1.x86_64.rpm
-lua-5.3.5-7.cm1.x86_64.rpm
-lua-debuginfo-5.3.5-7.cm1.x86_64.rpm
-lua-devel-5.3.5-7.cm1.x86_64.rpm
+lua-5.3.5-8.cm1.x86_64.rpm
+lua-debuginfo-5.3.5-8.cm1.x86_64.rpm
+lua-devel-5.3.5-8.cm1.x86_64.rpm
 lvm2-2.03.05-5.cm1.x86_64.rpm
 lvm2-debuginfo-2.03.05-5.cm1.x86_64.rpm
 lvm2-devel-2.03.05-5.cm1.x86_64.rpm