mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 03:47:03 +00:00
lua: fix CVE-2022-28805
singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code. https://nvd.nist.gov/vuln/detail/CVE-2022-28805 (From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
committed by
Richard Purdie
parent
8f48f1014f
commit
91e14d3a8e
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.lua.org/"
|
||||
|
||||
SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
|
||||
file://lua.pc.in \
|
||||
file://CVE-2022-28805.patch \
|
||||
${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'http://www.lua.org/tests/lua-${PV_testsuites}-tests.tar.gz;name=tarballtest file://run-ptest ', '', d)} \
|
||||
"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user