From a3fa44889b567cb90714d7196c38b924a6a0db7d Mon Sep 17 00:00:00 2001
From: shixuantong <1726671442@qq.com>
Date: Thu, 14 Apr 2022 20:53:02 +0800
Subject: [PATCH] fix CVE-2021-44647 CVE-2022-28805

---
 backport-CVE-2021-43519.patch | 27 +++++++++++---------
 backport-CVE-2021-44647.patch | 24 ++++++++++++++++++
 backport-CVE-2022-28805.patch | 46 +++++++++++++++++++++++++++++++++++
 lua.spec                      | 11 ++++++++-
 4 files changed, 95 insertions(+), 13 deletions(-)
 create mode 100644 backport-CVE-2021-44647.patch
 create mode 100644 backport-CVE-2022-28805.patch

diff --git a/backport-CVE-2021-43519.patch b/backport-CVE-2021-43519.patch
index acf125e..f0eccf4 100644
--- a/backport-CVE-2021-43519.patch
+++ b/backport-CVE-2021-43519.patch
@@ -7,15 +7,15 @@ Subject: [PATCH] Bug: C stack overflow with coroutines
 continuing execution after a protected error (that is,
 while running 'precover').
 ---
- src/ldo.c             |  6 ++++--
- testes/cstack.lua | 14 ++++++++++++++
+ src/ldo.c                  |  6 ++++--
+ lua-5.4.3-tests/cstack.lua | 14 ++++++++++++++
  2 files changed, 18 insertions(+), 2 deletions(-)
 
 diff --git a/src/ldo.c b/src/ldo.c
-index d0edc8b4f..66f890364 100644
+index 7135079..ca558fd 100644
 --- a/src/ldo.c
 +++ b/src/ldo.c
-@@ -759,11 +759,10 @@ static void resume (lua_State *L, void *ud) {
+@@ -728,11 +728,10 @@ static void resume (lua_State *L, void *ud) {
    StkId firstArg = L->top - n;  /* first argument */
    CallInfo *ci = L->ci;
    if (L->status == LUA_OK)  /* starting a coroutine? */
@@ -28,7 +28,7 @@ index d0edc8b4f..66f890364 100644
      if (isLua(ci)) {  /* yielded inside a hook? */
        L->top = firstArg;  /* discard arguments */
        luaV_execute(L, ci);  /* just continue running Lua code */
-@@ -814,6 +813,9 @@ LUA_API int lua_resume (lua_State *L, lua_State *from, int nargs,
+@@ -783,6 +782,9 @@ LUA_API int lua_resume (lua_State *L, lua_State *from, int nargs,
    else if (L->status != LUA_YIELD)  /* ended with errors? */
      return resume_error(L, "cannot resume dead coroutine", nargs);
    L->nCcalls = (from) ? getCcalls(from) : 0;
@@ -38,10 +38,10 @@ index d0edc8b4f..66f890364 100644
    luai_userstateresume(L, nargs);
    api_checknelems(L, (L->status == LUA_OK) ? nargs + 1 : nargs);
    status = luaD_rawrunprotected(L, resume, &nargs);
-diff --git a/testes/cstack.lua b/testes/cstack.lua
-index 213d15d47..ca76c8729 100644
---- a/testes/cstack.lua
-+++ b/testes/cstack.lua
+diff --git a/lua-5.4.3-tests/cstack.lua b/lua-5.4.3-tests/cstack.lua
+index 213d15d..ca76c87 100644
+--- a/lua-5.4.3-tests/cstack.lua
++++ b/lua-5.4.3-tests/cstack.lua
 @@ -103,6 +103,20 @@ do
  end
  
@@ -60,6 +60,9 @@ index 213d15d47..ca76c8729 100644
 +end
 +
 +
- if T then
-   print("testing stack recovery")
-   local N = 0      -- trace number of calls
+if T then
+  print("testing stack recovery")
+  local N = 0      -- trace number of calls
+-- 
+1.8.3.1
+
diff --git a/backport-CVE-2021-44647.patch b/backport-CVE-2021-44647.patch
new file mode 100644
index 0000000..56bdfb5
--- /dev/null
+++ b/backport-CVE-2021-44647.patch
@@ -0,0 +1,24 @@
+From 1de95e97ef65632a88e08b6184bd9d1ceba7ec2f Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Fri, 10 Dec 2021 10:53:54 -0300
+Subject: [PATCH] Bug: Lua stack still active when closing a state
+
+---
+ src/lstate.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lstate.c b/src/lstate.c
+index c5e3b43..38da773 100644
+--- a/src/lstate.c
++++ b/src/lstate.c
+@@ -271,6 +271,7 @@ static void close_state (lua_State *L) {
+   if (!completestate(g))  /* closing a partially built state? */
+     luaC_freeallobjects(L);  /* jucst collect its objects */
+   else {  /* closing a fully built state */
++    L->ci = &L->base_ci;  /* unwind CallInfo list */
+     luaD_closeprotected(L, 1, LUA_OK);  /* close all upvalues */
+     luaC_freeallobjects(L);  /* collect all objects */
+     luai_userstateclose(L);
+-- 
+1.8.3.1
+
diff --git a/backport-CVE-2022-28805.patch b/backport-CVE-2022-28805.patch
new file mode 100644
index 0000000..04e79c0
--- /dev/null
+++ b/backport-CVE-2022-28805.patch
@@ -0,0 +1,46 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+---
+ lua-5.4.3-tests/attrib.lua | 10 ++++++++++
+ src/lparser.c              |  1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/lua-5.4.3-tests/attrib.lua b/lua-5.4.3-tests/attrib.lua
+index b1076c7..83821c0 100644
+--- a/lua-5.4.3-tests/attrib.lua
++++ b/lua-5.4.3-tests/attrib.lua
+@@ -434,6 +434,16 @@ a.aVeryLongName012345678901234567890123456789012345678901234567890123456789 ==
+ 10)
+ 
+ 
++do
++  -- _ENV constant
++  local function foo ()
++    local _ENV <const> = 11
++    X = "hi"
++  end
++  local st, msg = pcall(foo)
++  assert(not st and string.find(msg, "number"))
++end
++
+ 
+ -- test of large float/integer indices 
+ 
+diff --git a/src/lparser.c b/src/lparser.c
+index 284ef1f..0626833 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -457,6 +457,7 @@ static void singlevar (LexState *ls, expdesc *var) {
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
+-- 
+1.8.3.1
+
diff --git a/lua.spec b/lua.spec
index 14e12b7..f5bf15b 100644
--- a/lua.spec
+++ b/lua.spec
@@ -6,7 +6,7 @@
 
 Name:           lua
 Version:        5.4.3
-Release:        4
+Release:        5
 Summary:        A powerful, efficient, lightweight, embeddable scripting language
 License:        MIT
 URL:            http://www.lua.org/
@@ -24,6 +24,8 @@ Patch1:         lua-5.3.0-idsize.patch
 Patch2:         lua-5.2.2-configure-linux.patch
 Patch3:         lua-5.3.0-configure-compat-module.patch
 Patch6000:      backport-CVE-2021-43519.patch
+Patch6001:      backport-CVE-2021-44647.patch
+Patch6002:      backport-CVE-2022-28805.patch
 
 BuildRequires:  automake autoconf libtool readline-devel ncurses-devel
 
@@ -56,6 +58,10 @@ mv src/luaconf.h src/luaconf.h.template.in
 %patch1 -p1 -z .idsize
 %patch2 -p1 -z .configure-linux
 %patch3 -p1 -z .configure-compat-all
+%patch6000 -p1
+%patch6001 -p1
+%patch6002 -p1
+
 # Put proper version in configure.ac, patch0 hardcodes 5.3.0
 sed -i 's|5.3.0|%{version}|g' configure.ac
 autoreconf -ifv
@@ -129,6 +135,9 @@ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{_bindir}/lua -e"_U=
 %{_mandir}/man1/lua*.1*
 
 %changelog
+* Thu Apr 14 2022 shixuantong <shixuantong@h-partners.com> - 5.4.3-5
+- fix CVE-2021-44647 CVE-2022-28805
+
 * Fri Apr 01 2022 shixuantong <shixuantong@h-partners.com> - 5.4.3-4
 - fix CVE-2021-43519
 
-- 
Gitee