1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-16 03:47:03 +00:00

lua: fix CVE-2022-28805

singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
call, leading to a heap-based buffer over-read that might affect a system that
compiles untrusted Lua code.

https://nvd.nist.gov/vuln/detail/CVE-2022-28805

(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Steve Sakoman
2022-04-18 09:04:08 -10:00
committed by Richard Purdie
parent 8f48f1014f
commit 91e14d3a8e
2 changed files with 27 additions and 0 deletions
+1
View File
@@ -6,6 +6,7 @@ HOMEPAGE = "http://www.lua.org/"
SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
file://lua.pc.in \
file://CVE-2022-28805.patch \
${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'http://www.lua.org/tests/lua-${PV_testsuites}-tests.tar.gz;name=tarballtest file://run-ptest ', '', d)} \
"