--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lua...@packages.debian.org
Control: affects -1 + src:lua5.3
[ Reason ]
lua5.3=5.3.3-1.1 (buster, bullseye) is vulnerable to CVE-2019-6706 and
CVE-2020-24370. These were fixed in an a recent buster-security upload
(cf. DLA-3469-1). The Security Team didn't think a DSA was warranted
for bullseye, and suggested to go via bullseye-pu instead.
[ Impact ]
* bullseye's lua5.3 would remain vulnerable to CVE-2019-6706 and
CVE-2020-24370 (unlike buster-security).
* buster-security version (5.3.3-1.1+deb10u1) would remain higher than
bullseye's (5.3.3-1.1).
[ Tests ]
* CVE-2019-6706 and CVE-2020-24370 POCs.
* (Adapted) upstream test suite from v5.3.6.
* (Local tests only, the above isn't run at build time nor in
autopkgtests.)
[ Risks ]
Trivial patches backported from upstream's 5.3 branch. The same patches
have been uploaded to buster-security on June 23.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Backport upstream fix for CVE-2019-6706: Use after free in
lua_upvaluejoin in lapi.c. (Closes: #920321)
* Backport upstream fix CVE-2020-24370: Segmentation fault in getlocal
and setlocal functions in ldebug.c. (Closes: #988734)
* Add d/salsa-ci.yml for Salsa CI.
[ Other info ]
The suggested debdiff is exactly (modulo d/changelog and d/salsa-ci.yml)
what was uploaded to buster-security.
--
Guilhem.
diffstat for lua5.3-5.3.3 lua5.3-5.3.3
changelog | 10 +++++++
patches/CVE-2019-6706.patch | 57 +++++++++++++++++++++++++++++++++++++++++++
patches/CVE-2020-24370.patch | 39 +++++++++++++++++++++++++++++
patches/series | 2 +
salsa-ci.yml | 9 ++++++
5 files changed, 117 insertions(+)
diff -Nru lua5.3-5.3.3/debian/changelog lua5.3-5.3.3/debian/changelog
--- lua5.3-5.3.3/debian/changelog 2018-12-28 20:10:13.000000000 +0100
+++ lua5.3-5.3.3/debian/changelog 2023-06-22 22:03:38.000000000 +0200
@@ -1,3 +1,13 @@
+lua5.3 (5.3.3-1.1+deb11u1) bullseye; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2019-6706: Use after free in lua_upvaluejoin in lapi.c. (Closes:
+ #920321)
+ * Fix CVE-2020-24370: Segmentation fault in getlocal and setlocal functions
+ in ldebug.c. (Closes: #988734)
+
+ -- Guilhem Moulin <guil...@debian.org> Thu, 22 Jun 2023 22:03:38 +0200
+
lua5.3 (5.3.3-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch
lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch
--- lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch 1970-01-01
01:00:00.000000000 +0100
+++ lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch 2023-06-22
22:03:38.000000000 +0200
@@ -0,0 +1,57 @@
+From: Roberto Ierusalimschy <robe...@inf.puc-rio.br>
+Date: Wed, 27 Mar 2019 14:30:12 -0300
+Subject: Fixed bug in 'lua_upvaluejoin'
+
+Bug-fix: joining an upvalue with itself could cause a use-after-free
+crash.
+
+Origin:
https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e
+Bug: http://lua-users.org/lists/lua-l/2019-01/msg00039.html
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-6706
+Bug-Debian: https://bugs.debian.org/920321
+---
+ src/lapi.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/lapi.c b/src/lapi.c
+index c9455a5..86eac00 100644
+--- a/src/lapi.c
++++ b/src/lapi.c
+@@ -1253,13 +1253,12 @@ LUA_API const char *lua_setupvalue (lua_State *L, int
funcindex, int n) {
+ }
+
+
+-static UpVal **getupvalref (lua_State *L, int fidx, int n, LClosure **pf) {
++static UpVal **getupvalref (lua_State *L, int fidx, int n) {
+ LClosure *f;
+ StkId fi = index2addr(L, fidx);
+ api_check(L, ttisLclosure(fi), "Lua function expected");
+ f = clLvalue(fi);
+ api_check(L, (1 <= n && n <= f->p->sizeupvalues), "invalid upvalue index");
+- if (pf) *pf = f;
+ return &f->upvals[n - 1]; /* get its upvalue pointer */
+ }
+
+@@ -1268,7 +1267,7 @@ LUA_API void *lua_upvalueid (lua_State *L, int fidx, int
n) {
+ StkId fi = index2addr(L, fidx);
+ switch (ttype(fi)) {
+ case LUA_TLCL: { /* lua closure */
+- return *getupvalref(L, fidx, n, NULL);
++ return *getupvalref(L, fidx, n);
+ }
+ case LUA_TCCL: { /* C closure */
+ CClosure *f = clCvalue(fi);
+@@ -1285,9 +1284,10 @@ LUA_API void *lua_upvalueid (lua_State *L, int fidx,
int n) {
+
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+ int fidx2, int n2) {
+- LClosure *f1;
+- UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
+- UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
++ UpVal **up1 = getupvalref(L, fidx1, n1);
++ UpVal **up2 = getupvalref(L, fidx2, n2);
++ if (*up1 == *up2)
++ return;
+ luaC_upvdeccount(L, *up1);
+ *up1 = *up2;
+ (*up1)->refcount++;
diff -Nru lua5.3-5.3.3/debian/patches/CVE-2020-24370.patch
lua5.3-5.3.3/debian/patches/CVE-2020-24370.patch
--- lua5.3-5.3.3/debian/patches/CVE-2020-24370.patch 1970-01-01
01:00:00.000000000 +0100
+++ lua5.3-5.3.3/debian/patches/CVE-2020-24370.patch 2023-06-22
22:03:38.000000000 +0200
@@ -0,0 +1,39 @@
+From: Roberto Ierusalimschy <robe...@inf.puc-rio.br>
+Date: Mon, 3 Aug 2020 16:25:28 -0300
+Subject: Fixed bug: Negation overflow in getlocal/setlocal
+
+Origin:
https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9
+Bug: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-24370
+Bug-Debian: https://bugs.debian.org/988734
+---
+ src/ldebug.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/ldebug.c b/src/ldebug.c
+index e499ee3..596bed2 100644
+--- a/src/ldebug.c
++++ b/src/ldebug.c
+@@ -132,10 +132,11 @@ static const char *upvalname (Proto *p, int uv) {
+
+ static const char *findvararg (CallInfo *ci, int n, StkId *pos) {
+ int nparams = clLvalue(ci->func)->p->numparams;
+- if (n >= cast_int(ci->u.l.base - ci->func) - nparams)
++ int nvararg = cast_int(ci->u.l.base - ci->func) - nparams;
++ if (n <= -nvararg)
+ return NULL; /* no such vararg */
+ else {
+- *pos = ci->func + nparams + n;
++ *pos = ci->func + nparams - n;
+ return "(*vararg)"; /* generic name for any vararg */
+ }
+ }
+@@ -147,7 +148,7 @@ static const char *findlocal (lua_State *L, CallInfo *ci,
int n,
+ StkId base;
+ if (isLua(ci)) {
+ if (n < 0) /* access to vararg values? */
+- return findvararg(ci, -n, pos);
++ return findvararg(ci, n, pos);
+ else {
+ base = ci->u.l.base;
+ name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci));
diff -Nru lua5.3-5.3.3/debian/patches/series lua5.3-5.3.3/debian/patches/series
--- lua5.3-5.3.3/debian/patches/series 2018-12-01 04:39:23.000000000 +0100
+++ lua5.3-5.3.3/debian/patches/series 2023-06-22 22:03:38.000000000 +0200
@@ -2,3 +2,5 @@
0002-lua-modules-paths.patch
0003-extern_C.patch
0004-Fix-invalid-pointer-conversions.patch
+CVE-2019-6706.patch
+CVE-2020-24370.patch
diff -Nru lua5.3-5.3.3/debian/salsa-ci.yml lua5.3-5.3.3/debian/salsa-ci.yml
--- lua5.3-5.3.3/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ lua5.3-5.3.3/debian/salsa-ci.yml 2023-06-22 22:03:38.000000000 +0200
@@ -0,0 +1,9 @@
+---
+include:
+ -
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bullseye'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
+ SALSA_CI_DISABLE_PIUPARTS: 1
signature.asc
Description: PGP signature
--- End Message ---
