* [oe][meta-oe][dunfell][PATCH] lua: fix CVE-2022-28805
@ 2022-05-09 7:40 omkar
2022-05-18 13:32 ` [meta-oe][dunfell][PATCH] " omkar
2022-05-18 21:28 ` [oe][meta-oe][dunfell][PATCH] " Steve Sakoman
0 siblings, 2 replies; 3+ messages in thread
From: omkar @ 2022-05-09 7:40 UTC (permalink / raw)
To: openembedded-devel, omkarpatil10.93
Cc: ranjitsinh.rathod, Steve Sakoman, Sana Kazi, Richard Purdie, Omkar Patil
From: Steve Sakoman <steve@sakoman.com>
singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
call, leading to a heap-based buffer over-read that might affect a system that
compiles untrusted Lua code.
https://nvd.nist.gov/vuln/detail/CVE-2022-28805
(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
---
.../lua/lua/0001-lua-fix-CVE-2022-28805.patch | 73 +++++++++++++++++++
.../lua/lua/CVE-2022-28805.patch | 28 +++++++
meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 +
3 files changed, 102 insertions(+)
create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
new file mode 100644
index 000000000..606c9ea98
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
@@ -0,0 +1,73 @@
+From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001
+From: Steve Sakoman <steve@sakoman.com>
+Date: Mon, 18 Apr 2022 09:04:08 -1000
+Subject: [PATCH] lua: fix CVE-2022-28805
+
+singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
+call, leading to a heap-based buffer over-read that might affect a system that
+compiles untrusted Lua code.
+
+https://nvd.nist.gov/vuln/detail/CVE-2022-28805
+
+(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
+
+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
+Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
+---
+ .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++
+ meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 +
+ 2 files changed, 29 insertions(+)
+ create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+
+diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+new file mode 100644
+index 000000000..0a21d1ce7
+--- /dev/null
++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+@@ -0,0 +1,28 @@
++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
++Date: Tue, 15 Feb 2022 12:28:46 -0300
++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
++
++CVE: CVE-2022-28805
++
++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
++
++Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
++Signed-off-by: Steve Sakoman <steve@sakoman.com>
++---
++ src/lparser.c | 1 +
++ 1 files changed, 1 insertions(+)
++
++diff --git a/src/lparser.c b/src/lparser.c
++index 3abe3d751..a5cd55257 100644
++--- a/src/lparser.c
+++++ b/src/lparser.c
++@@ -300,6 +300,7 @@
++ expdesc key;
++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
++ lua_assert(var->k != VVOID); /* this one must exist */
+++ luaK_exp2anyregup(fs, var); /* but could be a constant */
++ codestring(ls, &key, varname); /* key is variable name */
++ luaK_indexed(fs, var, &key); /* env[varname] */
++ }
++
+diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+index 342ed1b54..0137cc3c5 100644
+--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
+ file://CVE-2020-15888.patch \
+ file://CVE-2020-15945.patch \
+ file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
++ file://CVE-2022-28805.patch \
+ "
+
+ # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
+--
+2.17.1
+
diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
new file mode 100644
index 000000000..0a21d1ce7
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
@@ -0,0 +1,28 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+CVE: CVE-2022-28805
+
+Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
+
+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ src/lparser.c | 1 +
+ 1 files changed, 1 insertions(+)
+
+diff --git a/src/lparser.c b/src/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -300,6 +300,7 @@
+ expdesc key;
+ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
+ lua_assert(var->k != VVOID); /* this one must exist */
++ luaK_exp2anyregup(fs, var); /* but could be a constant */
+ codestring(ls, &key, varname); /* key is variable name */
+ luaK_indexed(fs, var, &key); /* env[varname] */
+ }
+
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
index 342ed1b54..0137cc3c5 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
file://CVE-2020-15888.patch \
file://CVE-2020-15945.patch \
file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
+ file://CVE-2022-28805.patch \
"
# if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [meta-oe][dunfell][PATCH] lua: fix CVE-2022-28805
2022-05-09 7:40 [oe][meta-oe][dunfell][PATCH] lua: fix CVE-2022-28805 omkar
@ 2022-05-18 13:32 ` omkar
2022-05-18 21:28 ` [oe][meta-oe][dunfell][PATCH] " Steve Sakoman
1 sibling, 0 replies; 3+ messages in thread
From: omkar @ 2022-05-18 13:32 UTC (permalink / raw)
To: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 36 bytes --]
Reminder, please check this patch.
[-- Attachment #2: Type: text/html, Size: 36 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [oe][meta-oe][dunfell][PATCH] lua: fix CVE-2022-28805
2022-05-09 7:40 [oe][meta-oe][dunfell][PATCH] lua: fix CVE-2022-28805 omkar
2022-05-18 13:32 ` [meta-oe][dunfell][PATCH] " omkar
@ 2022-05-18 21:28 ` Steve Sakoman
1 sibling, 0 replies; 3+ messages in thread
From: Steve Sakoman @ 2022-05-18 21:28 UTC (permalink / raw)
To: omkar
Cc: openembedded-devel, ranjitsinh.rathod, Sana Kazi, Richard Purdie,
Omkar Patil
On Sun, May 8, 2022 at 9:40 PM omkar <omkarpatil10.93@gmail.com> wrote:
>
> From: Steve Sakoman <steve@sakoman.com>
I'm not the maintainer for meta-openembedded, but this appears to be a
patch that I originally submitted for the lua recipe in oe-core master
branch. This recipe was moved to oe-core post dunfell release, so it
does make sense to patch the lua version on meta-openembedded.
Perhaps this patch wasn't taken because it has at least one issue, see below.
> singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
> call, leading to a heap-based buffer over-read that might affect a system that
> compiles untrusted Lua code.
>
> https://nvd.nist.gov/vuln/detail/CVE-2022-28805
>
> (From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
>
> Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
> Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
> ---
> .../lua/lua/0001-lua-fix-CVE-2022-28805.patch | 73 +++++++++++++++++++
> .../lua/lua/CVE-2022-28805.patch | 28 +++++++
> meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 +
> 3 files changed, 102 insertions(+)
> create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
> create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
>
> diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
> new file mode 100644
> index 000000000..606c9ea98
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
This seems to be adding a file that is an edited version of my
original patch. This seems to have no purpose!
> @@ -0,0 +1,73 @@
> +From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001
> +From: Steve Sakoman <steve@sakoman.com>
> +Date: Mon, 18 Apr 2022 09:04:08 -1000
> +Subject: [PATCH] lua: fix CVE-2022-28805
> +
> +singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
> +call, leading to a heap-based buffer over-read that might affect a system that
> +compiles untrusted Lua code.
> +
> +https://nvd.nist.gov/vuln/detail/CVE-2022-28805
> +
> +(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
> +
> +Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
> +Signed-off-by: Steve Sakoman <steve@sakoman.com>
> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> +(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
> +Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
> +---
> + .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++
> + meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 +
> + 2 files changed, 29 insertions(+)
> + create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
> +
> +diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
> +new file mode 100644
> +index 000000000..0a21d1ce7
> +--- /dev/null
> ++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
> +@@ -0,0 +1,28 @@
> ++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
> ++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
> ++Date: Tue, 15 Feb 2022 12:28:46 -0300
> ++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
> ++
> ++CVE: CVE-2022-28805
> ++
> ++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
> ++
> ++Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
> ++Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ++---
> ++ src/lparser.c | 1 +
> ++ 1 files changed, 1 insertions(+)
> ++
> ++diff --git a/src/lparser.c b/src/lparser.c
> ++index 3abe3d751..a5cd55257 100644
> ++--- a/src/lparser.c
> +++++ b/src/lparser.c
> ++@@ -300,6 +300,7 @@
> ++ expdesc key;
> ++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
> ++ lua_assert(var->k != VVOID); /* this one must exist */
> +++ luaK_exp2anyregup(fs, var); /* but could be a constant */
> ++ codestring(ls, &key, varname); /* key is variable name */
> ++ luaK_indexed(fs, var, &key); /* env[varname] */
> ++ }
> ++
> +diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
> +index 342ed1b54..0137cc3c5 100644
> +--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
> ++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
> +@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
> + file://CVE-2020-15888.patch \
> + file://CVE-2020-15945.patch \
> + file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
> ++ file://CVE-2022-28805.patch \
> + "
> +
> + # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
> +--
> +2.17.1
> +
> diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
> new file mode 100644
> index 000000000..0a21d1ce7
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
> @@ -0,0 +1,28 @@
> +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
> +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
> +Date: Tue, 15 Feb 2022 12:28:46 -0300
> +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
> +
> +CVE: CVE-2022-28805
> +
> +Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
> +
> +Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
> +Signed-off-by: Steve Sakoman <steve@sakoman.com>
> +---
> + src/lparser.c | 1 +
> + 1 files changed, 1 insertions(+)
> +
> +diff --git a/src/lparser.c b/src/lparser.c
> +index 3abe3d751..a5cd55257 100644
> +--- a/src/lparser.c
> ++++ b/src/lparser.c
> +@@ -300,6 +300,7 @@
> + expdesc key;
> + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
> + lua_assert(var->k != VVOID); /* this one must exist */
> ++ luaK_exp2anyregup(fs, var); /* but could be a constant */
> + codestring(ls, &key, varname); /* key is variable name */
> + luaK_indexed(fs, var, &key); /* env[varname] */
> + }
> +
> diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
> index 342ed1b54..0137cc3c5 100644
> --- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
> +++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
> @@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
> file://CVE-2020-15888.patch \
> file://CVE-2020-15945.patch \
> file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
> + file://CVE-2022-28805.patch \
> "
>
> # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-18 21:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-09 7:40 [oe][meta-oe][dunfell][PATCH] lua: fix CVE-2022-28805 omkar
2022-05-18 13:32 ` [meta-oe][dunfell][PATCH] " omkar
2022-05-18 21:28 ` [oe][meta-oe][dunfell][PATCH] " Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.