Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: lua...@packages.debian.org Control: affects -1 + src:lua5.3
[ Reason ] lua5.3=5.3.3-1.1 (buster, bullseye) is vulnerable to CVE-2019-6706 and CVE-2020-24370. These were fixed in an a recent buster-security upload (cf. DLA-3469-1). The Security Team didn't think a DSA was warranted for bullseye, and suggested to go via bullseye-pu instead. [ Impact ] * bullseye's lua5.3 would remain vulnerable to CVE-2019-6706 and CVE-2020-24370 (unlike buster-security). * buster-security version (5.3.3-1.1+deb10u1) would remain higher than bullseye's (5.3.3-1.1). [ Tests ] * CVE-2019-6706 and CVE-2020-24370 POCs. * (Adapted) upstream test suite from v5.3.6. * (Local tests only, the above isn't run at build time nor in autopkgtests.) [ Risks ] Trivial patches backported from upstream's 5.3 branch. The same patches have been uploaded to buster-security on June 23. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable [ Changes ] * Backport upstream fix for CVE-2019-6706: Use after free in lua_upvaluejoin in lapi.c. (Closes: #920321) * Backport upstream fix CVE-2020-24370: Segmentation fault in getlocal and setlocal functions in ldebug.c. (Closes: #988734) * Add d/salsa-ci.yml for Salsa CI. [ Other info ] The suggested debdiff is exactly (modulo d/changelog and d/salsa-ci.yml) what was uploaded to buster-security. -- Guilhem.
diffstat for lua5.3-5.3.3 lua5.3-5.3.3 changelog | 10 +++++++ patches/CVE-2019-6706.patch | 57 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2020-24370.patch | 39 +++++++++++++++++++++++++++++ patches/series | 2 + salsa-ci.yml | 9 ++++++ 5 files changed, 117 insertions(+) diff -Nru lua5.3-5.3.3/debian/changelog lua5.3-5.3.3/debian/changelog --- lua5.3-5.3.3/debian/changelog 2018-12-28 20:10:13.000000000 +0100 +++ lua5.3-5.3.3/debian/changelog 2023-06-22 22:03:38.000000000 +0200 @@ -1,3 +1,13 @@ +lua5.3 (5.3.3-1.1+deb11u1) bullseye; urgency=high + + * Non-maintainer upload. + * Fix CVE-2019-6706: Use after free in lua_upvaluejoin in lapi.c. (Closes: + #920321) + * Fix CVE-2020-24370: Segmentation fault in getlocal and setlocal functions + in ldebug.c. (Closes: #988734) + + -- Guilhem Moulin <guil...@debian.org> Thu, 22 Jun 2023 22:03:38 +0200 + lua5.3 (5.3.3-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch --- lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch 1970-01-01 01:00:00.000000000 +0100 +++ lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch 2023-06-22 22:03:38.000000000 +0200 @@ -0,0 +1,57 @@ +From: Roberto Ierusalimschy <robe...@inf.puc-rio.br> +Date: Wed, 27 Mar 2019 14:30:12 -0300 +Subject: Fixed bug in 'lua_upvaluejoin' + +Bug-fix: joining an upvalue with itself could cause a use-after-free +crash. + +Origin: https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e +Bug: http://lua-users.org/lists/lua-l/2019-01/msg00039.html +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-6706 +Bug-Debian: https://bugs.debian.org/920321 +--- + src/lapi.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/lapi.c b/src/lapi.c +index c9455a5..86eac00 100644 +--- a/src/lapi.c ++++ b/src/lapi.c +@@ -1253,13 +1253,12 @@ LUA_API const char *lua_setupvalue (lua_State *L, int funcindex, int n) { + } + + +-static UpVal **getupvalref (lua_State *L, int fidx, int n, LClosure **pf) { ++static UpVal **getupvalref (lua_State *L, int fidx, int n) { + LClosure *f; + StkId fi = index2addr(L, fidx); + api_check(L, ttisLclosure(fi), "Lua function expected"); + f = clLvalue(fi); + api_check(L, (1 <= n && n <= f->p->sizeupvalues), "invalid upvalue index"); +- if (pf) *pf = f; + return &f->upvals[n - 1]; /* get its upvalue pointer */ + } + +@@ -1268,7 +1267,7 @@ LUA_API void *lua_upvalueid (lua_State *L, int fidx, int n) { + StkId fi = index2addr(L, fidx); + switch (ttype(fi)) { + case LUA_TLCL: { /* lua closure */ +- return *getupvalref(L, fidx, n, NULL); ++ return *getupvalref(L, fidx, n); + } + case LUA_TCCL: { /* C closure */ + CClosure *f = clCvalue(fi); +@@ -1285,9 +1284,10 @@ LUA_API void *lua_upvalueid (lua_State *L, int fidx, int n) { + + LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, + int fidx2, int n2) { +- LClosure *f1; +- UpVal **up1 = getupvalref(L, fidx1, n1, &f1); +- UpVal **up2 = getupvalref(L, fidx2, n2, NULL); ++ UpVal **up1 = getupvalref(L, fidx1, n1); ++ UpVal **up2 = getupvalref(L, fidx2, n2); ++ if (*up1 == *up2) ++ return; + luaC_upvdeccount(L, *up1); + *up1 = *up2; + (*up1)->refcount++; diff -Nru lua5.3-5.3.3/debian/patches/CVE-2020-24370.patch lua5.3-5.3.3/debian/patches/CVE-2020-24370.patch --- lua5.3-5.3.3/debian/patches/CVE-2020-24370.patch 1970-01-01 01:00:00.000000000 +0100 +++ lua5.3-5.3.3/debian/patches/CVE-2020-24370.patch 2023-06-22 22:03:38.000000000 +0200 @@ -0,0 +1,39 @@ +From: Roberto Ierusalimschy <robe...@inf.puc-rio.br> +Date: Mon, 3 Aug 2020 16:25:28 -0300 +Subject: Fixed bug: Negation overflow in getlocal/setlocal + +Origin: https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9 +Bug: http://lua-users.org/lists/lua-l/2020-07/msg00324.html +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-24370 +Bug-Debian: https://bugs.debian.org/988734 +--- + src/ldebug.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/ldebug.c b/src/ldebug.c +index e499ee3..596bed2 100644 +--- a/src/ldebug.c ++++ b/src/ldebug.c +@@ -132,10 +132,11 @@ static const char *upvalname (Proto *p, int uv) { + + static const char *findvararg (CallInfo *ci, int n, StkId *pos) { + int nparams = clLvalue(ci->func)->p->numparams; +- if (n >= cast_int(ci->u.l.base - ci->func) - nparams) ++ int nvararg = cast_int(ci->u.l.base - ci->func) - nparams; ++ if (n <= -nvararg) + return NULL; /* no such vararg */ + else { +- *pos = ci->func + nparams + n; ++ *pos = ci->func + nparams - n; + return "(*vararg)"; /* generic name for any vararg */ + } + } +@@ -147,7 +148,7 @@ static const char *findlocal (lua_State *L, CallInfo *ci, int n, + StkId base; + if (isLua(ci)) { + if (n < 0) /* access to vararg values? */ +- return findvararg(ci, -n, pos); ++ return findvararg(ci, n, pos); + else { + base = ci->u.l.base; + name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci)); diff -Nru lua5.3-5.3.3/debian/patches/series lua5.3-5.3.3/debian/patches/series --- lua5.3-5.3.3/debian/patches/series 2018-12-01 04:39:23.000000000 +0100 +++ lua5.3-5.3.3/debian/patches/series 2023-06-22 22:03:38.000000000 +0200 @@ -2,3 +2,5 @@ 0002-lua-modules-paths.patch 0003-extern_C.patch 0004-Fix-invalid-pointer-conversions.patch +CVE-2019-6706.patch +CVE-2020-24370.patch diff -Nru lua5.3-5.3.3/debian/salsa-ci.yml lua5.3-5.3.3/debian/salsa-ci.yml --- lua5.3-5.3.3/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ lua5.3-5.3.3/debian/salsa-ci.yml 2023-06-22 22:03:38.000000000 +0200 @@ -0,0 +1,9 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bullseye' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1 + SALSA_CI_DISABLE_PIUPARTS: 1
signature.asc
Description: PGP signature
