From a043d076145dced7e4f903e14ce04db719c352ab Mon Sep 17 00:00:00 2001 From: Michel Alexandre Salim Date: Mon, 31 Aug 2020 17:09:48 -0700 Subject: [PATCH 1/3] Refactor macros into lua-rpm-macros Signed-off-by: Michel Alexandre Salim --- lua.attr | 19 ------------------- lua.spec | 20 +++++++------------- macros.lua | 13 ------------- 3 files changed, 7 insertions(+), 45 deletions(-) delete mode 100644 lua.attr delete mode 100644 macros.lua diff --git a/lua.attr b/lua.attr deleted file mode 100644 index a433266..0000000 --- a/lua.attr +++ /dev/null @@ -1,19 +0,0 @@ -%__lua_requires() %{lua: - -- Match buildroot paths of the form - -- /PATH/OF/BUILDROOT/usr/lib(64)/lua/MAJOR.MINOR/ and - -- /PATH/OF/BUILDROOT/usr/share/pythonMAJOR.MINOR/ - -- generating a line of the form: - -- lua(abi) = MAJOR.MINOR - local path = rpm.expand('%1') - local datadir = rpm.expand('%_datadir') - local libdir = rpm.expand('%_libdir') - for i, dir in ipairs({datadir, libdir}) do - if path:match(dir .. '/lua/%d+%.%d+/.*') then - local requires = path:gsub('.*' .. dir .. '/lua/(%d+%.%d+)/.*', 'lua(abi) = %1') - print(requires) - break - end - end -} - -%__lua_path ^(%{_datadir}|%{_libdir})/lua/[[:digit:]]+\\.[[:digit:]]+/.+ diff --git a/lua.spec b/lua.spec index be9d603..ae53132 100644 --- a/lua.spec +++ b/lua.spec @@ -15,7 +15,7 @@ Name: lua Version: %{major_version}.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Powerful light-weight programming language License: MIT URL: http://www.lua.org/ @@ -28,10 +28,6 @@ Source2: http://www.lua.org/ftp/lua-%{bootstrap_version}.tar.gz Source3: http://www.lua.org/tests/lua-%{test_version}-tests.tar.gz # multilib Source4: luaconf.h -# rpm-macro -Source1000: macros.lua -# rpm-generator -Source1001: lua.attr Patch0: %{name}-5.4.0-beta-autotoolize.patch Patch1: %{name}-5.3.0-idsize.patch #Patch2: %%{name}-5.3.0-luac-shared-link-fix.patch @@ -76,6 +72,9 @@ configuration, scripting, and rapid prototyping. %package devel Summary: Development files for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} +# The RPM related dependencies bring nothing to a non-RPM Lua developer +# But we want them when packages BuildRequire lua-devel +Requires: (lua-rpm-macros if rpm-build) Requires: pkgconfig %description devel @@ -206,10 +205,6 @@ rm -rf $RPM_BUILD_ROOT/installdir popd %endif -# Install rpm-macro and requires generator -install -Dpm 0644 %{SOURCE1000} $RPM_BUILD_ROOT/%{macrosdir}/macros.lua -install -Dpm 0644 %{SOURCE1001} $RPM_BUILD_ROOT/%{_fileattrsdir}/lua.attr - %files %{!?_licensedir:%global license %%doc} %license mit.txt @@ -237,15 +232,14 @@ install -Dpm 0644 %{SOURCE1001} $RPM_BUILD_ROOT/%{_fileattrsdir}/lua.attr %{_includedir}/l*.hpp %{_libdir}/liblua.so %{_libdir}/pkgconfig/*.pc -%dir %{macrosdir} -%{macrosdir}/macros.lua -%dir %{_fileattrsdir} -%{_fileattrsdir}/lua.attr %files static %{_libdir}/*.a %changelog +* Mon Aug 31 2020 Michel Alexandre Salim - 5.4.0-7 +- Refactor macros into lua-rpm-macros + * Wed Aug 19 2020 Tom Callaway - 5.4.0-6 - apply upstream fix for CVE-2020-24370, CVE-2020-24371 diff --git a/macros.lua b/macros.lua deleted file mode 100644 index 46656d6..0000000 --- a/macros.lua +++ /dev/null @@ -1,13 +0,0 @@ -%lua_version %{lua: print(string.sub(_VERSION, 5))} - -%lua_libdir %{_libdir}/lua/%{lua_version} -%lua_pkgdir %{_datadir}/lua/%{lua_version} - -%lua_requires \ -%if 0%{?fedora} >= 16 || 0%{?rhel} >= 7 \ -Requires: lua(abi) = %{lua_version} \ -%else \ -Requires: lua >= %{lua_version} \ -Requires: lua < %{lua: os.setlocale('C'); print(string.sub(_VERSION, 5) + 0.1)} \ -%endif \ -%{nil} From 4b399374b62b9349c6226611f2c556c6d4adf3bf Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Wed, 2 Sep 2020 15:05:28 -0400 Subject: [PATCH 2/3] CVE-2020-24342 --- lua-5.4.0-CVE-2020-24342.patch | 22 ++++++++++++++++++++++ lua.spec | 7 ++++++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 lua-5.4.0-CVE-2020-24342.patch diff --git a/lua-5.4.0-CVE-2020-24342.patch b/lua-5.4.0-CVE-2020-24342.patch new file mode 100644 index 0000000..c8267ec --- /dev/null +++ b/lua-5.4.0-CVE-2020-24342.patch @@ -0,0 +1,22 @@ +diff -up lua-5.4.0/src/ldo.c.CVE-2020-24342 lua-5.4.0/src/ldo.c +--- lua-5.4.0/src/ldo.c.CVE-2020-24342 2020-09-02 14:56:36.939443912 -0400 ++++ lua-5.4.0/src/ldo.c 2020-09-02 14:57:47.765341519 -0400 +@@ -515,14 +515,13 @@ void luaD_call (lua_State *L, StkId func + + /* + ** Similar to 'luaD_call', but does not allow yields during the call. +-** If there is a stack overflow, freeing all CI structures will +-** force the subsequent call to invoke 'luaE_extendCI', which then +-** will raise any errors. + */ + void luaD_callnoyield (lua_State *L, StkId func, int nResults) { + incXCcalls(L); +- if (getCcalls(L) <= CSTACKERR) /* possible stack overflow? */ +- luaE_freeCI(L); ++ if (getCcalls(L) <= CSTACKERR) { /* possible C stack overflow? */ ++ luaE_exitCcall(L); /* to compensate decrement in next call */ ++ luaE_enterCcall(L); /* check properly */ ++ } + luaD_call(L, func, nResults); + decXCcalls(L); + } diff --git a/lua.spec b/lua.spec index ae53132..7d669e0 100644 --- a/lua.spec +++ b/lua.spec @@ -15,7 +15,7 @@ Name: lua Version: %{major_version}.0 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Powerful light-weight programming language License: MIT URL: http://www.lua.org/ @@ -55,6 +55,7 @@ Patch17: %{name}-5.4.0-CVE-2020-24370.patch Patch18: %{name}-5.3.5-CVE-2020-24370.patch # This is bug 9 Patch19: %{name}-5.4.0-CVE-2020-24371.patch +Patch20: %{name}-5.4.0-CVE-2020-24342.patch BuildRequires: automake autoconf libtool readline-devel ncurses-devel Requires: lua-libs = %{version}-%{release} @@ -120,6 +121,7 @@ mv src/luaconf.h src/luaconf.h.template.in %patch16 -p1 -b .CVE-2020-24369 %patch17 -p1 -b .CVE-2020-24370 %patch19 -p1 -b .CVE-2020-24371 +%patch20 -p1 -b .CVE-2020-24342 # Put proper version in configure.ac, patch0 hardcodes 5.3.0 sed -i 's|5.3.0|%{version}|g' configure.ac autoreconf -ifv @@ -237,6 +239,9 @@ popd %{_libdir}/*.a %changelog +* Wed Sep 2 2020 Tom Callaway - 5.4.0-8 +- apply upstream fix for CVE-2020-24342 + * Mon Aug 31 2020 Michel Alexandre Salim - 5.4.0-7 - Refactor macros into lua-rpm-macros From fae2e38de72ef39b3f3e3b415c12d704adbcdeaf Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Wed, 2 Sep 2020 15:06:31 -0400 Subject: [PATCH 3/3] silence changelog noise --- lua.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/lua.spec b/lua.spec index 7d669e0..9656e9b 100644 --- a/lua.spec +++ b/lua.spec @@ -265,9 +265,6 @@ popd * Mon Jun 29 2020 Tom Callaway - 5.4.0-1 - update to 5.4.0 -* Wed Oct 23 2019 Tom Callaway - 5.4.0-0.1.beta -- 5.4.0-beta - * Wed Jan 29 2020 Fedora Release Engineering - 5.3.5-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild