From 79062a39e9bcb9731adbacd0bd9bcd0b59d19d0a Mon Sep 17 00:00:00 2001 From: davidovski Date: Sun, 22 May 2022 17:47:09 +0100 Subject: fixes to allow for full build --- repo/system/lua/CVE-2022-28805.patch | 336 +++++++++++++++++++ repo/system/lua/extern-c-for-cpp.patch | 336 +++++++++++++++++++ repo/system/lua/fix-double-free.patch | 402 +++++++++++++++++++++++ repo/system/lua/lua-5.4.4-shared_library-1.patch | 78 +++++ repo/system/lua/lua.xibuild | 8 +- 5 files changed, 1158 insertions(+), 2 deletions(-) create mode 100644 repo/system/lua/CVE-2022-28805.patch create mode 100644 repo/system/lua/extern-c-for-cpp.patch create mode 100644 repo/system/lua/fix-double-free.patch create mode 100644 repo/system/lua/lua-5.4.4-shared_library-1.patch (limited to 'repo/system/lua') diff --git a/repo/system/lua/CVE-2022-28805.patch b/repo/system/lua/CVE-2022-28805.patch new file mode 100644 index 0000000..95c66fc --- /dev/null +++ b/repo/system/lua/CVE-2022-28805.patch @@ -0,0 +1,336 @@ + + + +CVE-2022-28805.patch « lua5.4 « main - aports - Alpine packages build scripts + + + + + + + + + +
+ + + + +
+aboutsummaryrefslogtreecommitdiffstats
+ + + +
+
+
blob: b00fcc63f7c8ce53208dfc10c9c275f50ca8a8c9 (plain) (blame) + + +
1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+
Patch-Source: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+---
+ lparser.c         |  1 +
+ testes/attrib.lua | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/lparser.c b/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
+
+
+ +
+ + diff --git a/repo/system/lua/extern-c-for-cpp.patch b/repo/system/lua/extern-c-for-cpp.patch new file mode 100644 index 0000000..6c49c1c --- /dev/null +++ b/repo/system/lua/extern-c-for-cpp.patch @@ -0,0 +1,336 @@ + + + +extern-c-for-cpp.patch « lua5.4 « main - aports - Alpine packages build scripts + + + + + + + + + +
+ + + + +
+aboutsummaryrefslogtreecommitdiffstats
+ + + +
+
+
blob: c2268c76db839cf9272a3099563b6f80f72e0b0c (plain) (blame) + + +
1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+
Patch-Source: https://salsa.debian.org/lua-team/lua5.4/-/blob/bc284bb404e51d27feb5ffc705de8e32959c2048/debian/patches/0003-extern_C.patch
+From: Enrico Tassi <gareuselesinge@debian.org>
+Date: Fri, 14 Aug 2015 09:36:52 +0200
+Subject: extern_C
+
+---
+ src/luaconf.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/src/luaconf.h
++++ b/src/luaconf.h
+@@ -287,7 +287,11 @@
+ 
+ #else				/* }{ */
+ 
++#ifdef __cplusplus
++#define LUA_API                extern "C"
++#else
+ #define LUA_API		extern
++#endif
+ 
+ #endif				/* } */
+ 
+
+
+ +
+ + diff --git a/repo/system/lua/fix-double-free.patch b/repo/system/lua/fix-double-free.patch new file mode 100644 index 0000000..2b6c476 --- /dev/null +++ b/repo/system/lua/fix-double-free.patch @@ -0,0 +1,402 @@ + + + +fix-double-free.patch « lua5.4 « main - aports - Alpine packages build scripts + + + + + + + + + +
+ + + + +
+aboutsummaryrefslogtreecommitdiffstats
+ + + +
+
+
blob: ad87fafc29d2694ba5daf79d5afc337ef1cfa84b (plain) (blame) + + +
1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+55
+56
+
Lua5.4 frees the lineinfo memory twice. Once via combine() and once
+via close_state() this causes a segfault on musl. The segfault double
+free can be fixed by having combine assign NULL to f->lineinfo after
+it has been freed. Thus not freeing it again in close_state().
+
+Valgrind output for the double-free:
+
+	==29903== Invalid free() / delete / delete[] / realloc()
+	==29903==    at 0x48A4B0D: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+	==29903==    by 0x11E5D2: l_alloc (lauxlib.c:1014)
+	==29903==    by 0x112F51: luaM_free_ (lmem.c:135)
+	==29903==    by 0x11111B: luaF_freeproto (lfunc.c:271)
+	==29903==    by 0x112ABB: deletelist (lgc.c:1494)
+	==29903==    by 0x112ABB: luaC_freeallobjects (lgc.c:1511)
+	==29903==    by 0x116D54: close_state (lstate.c:276)
+	==29903==    by 0x10B549: main (luac.c:210)
+	==29903==  Address 0x48ec220 is 0 bytes inside a block of size 10 free'd
+	==29903==    at 0x48A4B0D: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+	==29903==    by 0x11E5D2: l_alloc (lauxlib.c:1014)
+	==29903==    by 0x112F51: luaM_free_ (lmem.c:135)
+	==29903==    by 0x10C60C: combine (luac.c:158)
+	==29903==    by 0x10C60C: pmain (luac.c:183)
+	==29903==    by 0x10FF38: precallC (ldo.c:506)
+	==29903==    by 0x11020C: luaD_precall (ldo.c:572)
+	==29903==    by 0x110340: ccall (ldo.c:607)
+	==29903==    by 0x10F7CA: luaD_rawrunprotected (ldo.c:144)
+	==29903==    by 0x110668: luaD_pcall (ldo.c:926)
+	==29903==    by 0x10DB2F: lua_pcallk (lapi.c:1067)
+	==29903==    by 0x10B528: main (luac.c:209)
+	==29903==  Block was alloc'd at
+	==29903==    at 0x48A6FC9: realloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+	==29903==    by 0x112F7E: luaM_realloc_ (lmem.c:166)
+	==29903==    by 0x112FC5: luaM_saferealloc_ (lmem.c:180)
+	==29903==    by 0x113074: luaM_shrinkvector_ (lmem.c:116)
+	==29903==    by 0x114B02: close_func (lparser.c:764)
+	==29903==    by 0x116B1B: mainfunc (lparser.c:1937)
+	==29903==    by 0x116B1B: luaY_parser (lparser.c:1959)
+	==29903==    by 0x10F718: f_parser (ldo.c:971)
+	==29903==    by 0x10F7CA: luaD_rawrunprotected (ldo.c:144)
+	==29903==    by 0x110668: luaD_pcall (ldo.c:926)
+	==29903==    by 0x11074B: luaD_protectedparser (ldo.c:988)
+	==29903==    by 0x10DC13: lua_load (lapi.c:1097)
+	==29903==    by 0x10C5B1: combine (luac.c:151)
+	==29903==    by 0x10C5B1: pmain (luac.c:183)
+
+diff -upr lua5.4.4.orig/src/luac.c lua-5.4.4/src/luac.c
+--- lua5.4.4.orig/src/luac.c	2022-04-14 20:57:01.927447850 +0200
++++ lua-5.4.4/src/luac.c	2022-04-14 20:57:35.260900910 +0200
+@@ -156,6 +156,7 @@ static const Proto* combine(lua_State* L
+    if (f->p[i]->sizeupvalues>0) f->p[i]->upvalues[0].instack=0;
+   }
+   luaM_freearray(L,f->lineinfo,f->sizelineinfo);
++  f->lineinfo=NULL;
+   f->sizelineinfo=0;
+   return f;
+  }
+
+
+ +
+ + diff --git a/repo/system/lua/lua-5.4.4-shared_library-1.patch b/repo/system/lua/lua-5.4.4-shared_library-1.patch new file mode 100644 index 0000000..f1dfad9 --- /dev/null +++ b/repo/system/lua/lua-5.4.4-shared_library-1.patch @@ -0,0 +1,78 @@ +Submitted By: Douglas R. Reno +Date: 2020-06-30 +Initial Package Version: 5.4.0 +Upstream Status: Rejected +Origin: Arch Linux, with some modifications +Description: Creates a shared liblua library, as well as + removes optimization since it causes SIGBUS errors, + and sets the search path to /usr from /usr/local. + The initial version of this patch was created by + Igor Zivkovic, before being rediffed for 5.4.0 by + myself with some modifications made. + +diff -Naurp lua-5.4.0.orig/Makefile lua-5.4.0/Makefile +--- lua-5.4.0.orig/Makefile 2020-04-15 07:55:07.000000000 -0500 ++++ lua-5.4.0/Makefile 2020-06-30 13:22:00.997938585 -0500 +@@ -52,7 +52,7 @@ R= $V.0 + all: $(PLAT) + + $(PLATS) help test clean: +- @cd src && $(MAKE) $@ ++ @cd src && $(MAKE) $@ V=$(V) R=$(R) + + install: dummy + cd src && $(MKDIR) $(INSTALL_BIN) $(INSTALL_INC) $(INSTALL_LIB) $(INSTALL_MAN) $(INSTALL_LMOD) $(INSTALL_CMOD) +diff -Naurp lua-5.4.0.orig/src/luaconf.h lua-5.4.0/src/luaconf.h +--- lua-5.4.0.orig/src/luaconf.h 2020-06-18 09:25:54.000000000 -0500 ++++ lua-5.4.0/src/luaconf.h 2020-06-30 13:24:59.294932289 -0500 +@@ -227,7 +227,7 @@ + + #else /* }{ */ + +-#define LUA_ROOT "/usr/local/" ++#define LUA_ROOT "/usr/" + #define LUA_LDIR LUA_ROOT "share/lua/" LUA_VDIR "/" + #define LUA_CDIR LUA_ROOT "lib/lua/" LUA_VDIR "/" + +diff -Naurp lua-5.4.0.orig/src/Makefile lua-5.4.0/src/Makefile +--- lua-5.4.0.orig/src/Makefile 2020-04-15 08:00:29.000000000 -0500 ++++ lua-5.4.0/src/Makefile 2020-06-30 13:24:15.746933827 -0500 +@@ -7,7 +7,7 @@ + PLAT= guess + + CC= gcc -std=gnu99 +-CFLAGS= -O2 -Wall -Wextra -DLUA_COMPAT_5_3 $(SYSCFLAGS) $(MYCFLAGS) ++CFLAGS= -fPIC -O0 -Wall -Wextra -DLUA_COMPAT_5_3 -DLUA_COMPAT_5_2 -DLUA_COMPAT_5_1 $(SYSCFLAGS) $(MYCFLAGS) + LDFLAGS= $(SYSLDFLAGS) $(MYLDFLAGS) + LIBS= -lm $(SYSLIBS) $(MYLIBS) + +@@ -33,6 +33,7 @@ CMCFLAGS= -Os + PLATS= guess aix bsd c89 freebsd generic linux linux-readline macosx mingw posix solaris + + LUA_A= liblua.a ++LUA_SO= liblua.so + CORE_O= lapi.o lcode.o lctype.o ldebug.o ldo.o ldump.o lfunc.o lgc.o llex.o lmem.o lobject.o lopcodes.o lparser.o lstate.o lstring.o ltable.o ltm.o lundump.o lvm.o lzio.o + LIB_O= lauxlib.o lbaselib.o lcorolib.o ldblib.o liolib.o lmathlib.o loadlib.o loslib.o lstrlib.o ltablib.o lutf8lib.o linit.o + BASE_O= $(CORE_O) $(LIB_O) $(MYOBJS) +@@ -44,7 +45,7 @@ LUAC_T= luac + LUAC_O= luac.o + + ALL_O= $(BASE_O) $(LUA_O) $(LUAC_O) +-ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) ++ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) $(LUA_SO) + ALL_A= $(LUA_A) + + # Targets start here. +@@ -60,6 +61,12 @@ $(LUA_A): $(BASE_O) + $(AR) $@ $(BASE_O) + $(RANLIB) $@ + ++$(LUA_SO): $(CORE_O) $(LIB_O) ++ $(CC) -shared -ldl -Wl,--soname,$(LUA_SO).$(V) -o $@.$(R) $? -lm ++ $(MYLDFLAGS) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO).$(V) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO) ++ + $(LUA_T): $(LUA_O) $(LUA_A) + $(CC) -o $@ $(LDFLAGS) $(LUA_O) $(LUA_A) $(LIBS) + diff --git a/repo/system/lua/lua.xibuild b/repo/system/lua/lua.xibuild index fdcf8ab..167fd70 100644 --- a/repo/system/lua/lua.xibuild +++ b/repo/system/lua/lua.xibuild @@ -6,18 +6,22 @@ DEPS="readline" PKG_VER=5.4.4 SOURCE=https://www.lua.org/ftp/lua-$PKG_VER.tar.gz ADDITIONAL=" - https://www.linuxfromscratch.org/patches/blfs/svn/lua-$PKG_VER-shared_library-1.patch lua5.4.pc + +CVE-2022-28805.patch +extern-c-for-cpp.patch +fix-double-free.patch +lua-5.4.4-shared_library-1.patch " DESC="A powerful lightweight scripting language" prepare () { + apply_patches sed -e "s|@MAJOR_VER@|${PKG_VER%.*}|g" \ -e "s|@MINOR_VER@|${PKG_VER}|g" \ -i lua5.4.pc - patch -Np1 -i lua-$PKG_VER-shared_library-1.patch cat > configure.ac <<-EOF top_buildir=. -- cgit v1.2.1