Merge pull request #174094 from mayflower/lua-security

lua5_{2,4}: add patch for CVE-2022-28805
2024-12-03 12:23:02 +00:00 · 2022-05-31 11:03:34 +02:00 · 2022-05-31 11:03:34 +02:00 · 98e833fe59
commit 98e833fe59
parent 85ace547bd 5a7d0b6b34
2 changed files with 24 additions and 2 deletions
--- a/pkgs/development/interpreters/lua-5/CVE-2022-28805.patch
+++ b/pkgs/development/interpreters/lua-5/CVE-2022-28805.patch
@ -0,0 +1,10 @@
+--- a/src/lparser.c
+++ b/src/lparser.c
+@@ -301,6 +301,7 @@
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k == VLOCAL || var->k == VUPVAL);
+    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(ls, &key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
--- a/pkgs/development/interpreters/lua-5/default.nix
+++ b/pkgs/development/interpreters/lua-5/default.nix
@ -7,7 +7,17 @@ rec {
    hash = "1yxvjvnbg4nyrdv10bq42gz6dr66pyan28lgzfygqfwy2rv24qgq";
    makeWrapper = makeBinaryWrapper;

-    patches = lib.optional stdenv.isDarwin ./5.4.darwin.patch;
+    patches = lib.optional stdenv.isDarwin ./5.4.darwin.patch
+      ++ [
+        (fetchpatch {
+          name = "CVE-2022-28805.patch";
+          url = "https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa.patch";
+          sha256 = "sha256-YTwoolSnRNJIHFPVijSO6ZDw35BG5oWYralZ8qOb9y8=";
+          stripLen = 1;
+          extraPrefix = "src/";
+          excludes = [ "src/testes/*" ];
+        })
+      ];
  };

  lua5_4_compat = lua5_4.override({
@ -32,7 +42,9 @@ rec {
    sourceVersion = { major = "5"; minor = "2"; patch = "4"; };
    hash = "0jwznq0l8qg9wh5grwg07b5cy3lzngvl5m2nl1ikp6vqssmf9qmr";
    makeWrapper = makeBinaryWrapper;
-    patches = lib.optional stdenv.isDarwin ./5.2.darwin.patch;
+    patches = [
+      ./CVE-2022-28805.patch
+    ] ++ lib.optional stdenv.isDarwin ./5.2.darwin.patch;
  };

  lua5_2_compat = lua5_2.override({