!54 [sync] PR-51: Fix for lua CVE-2022-28805

From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333

CVE-2022-28805.patch

@@ -0,0 +1,17 @@
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010265
+
+Origin: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
+
+--- a/vendor/lua/src/lparser.c
++++ b/vendor/lua/src/lparser.c
+@@ -468,6 +468,7 @@
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }

fix-leak-in-config-reload.patch

@@ -0,0 +1,37 @@
+From b4db7c3855c22c5b6cfcbabffd760e1808144e2e Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Sun, 10 Mar 2024 10:17:24 -0700
+Subject: [PATCH] proxy: fix leak in config reload
+
+- config reload loads the code from disk, then dumps it into an internal
+  binary blob
+- that binary blob is loaded from memory into each worker thread
+- that temporary blob wasn't being freed
+
+if you have large initial lua and reload every second for hours on end
+you'd leak a few megs of ram
+
+---
+ proxy_config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/proxy_config.c b/proxy_config.c
+index cfe43b1..65e7e3a 100644
+--- a/proxy_config.c
++++ b/proxy_config.c
+@@ -240,6 +240,12 @@ int proxy_load_config(void *arg) {
+     db->buf = malloc(db->size);
+     lua_dump(L, _dump_helper, db, 0);
+     // 0 means no error.
++    if (ctx->proxy_code) {
++        struct _dumpbuf *old = ctx->proxy_code;
++        free(old->buf);
++        free(old);
++        ctx->proxy_code = NULL;
++    }
+     ctx->proxy_code = db;
+ 
+     // now we complete the data load by calling the function.
+-- 
+2.27.0
+

fix-potential-memory-corruption.patch

@@ -0,0 +1,57 @@
+From 4ff4e8169c5f73e37a17df482916752bc0b17d1f Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Thu, 21 Mar 2024 12:41:01 -0700
+Subject: [PATCH] crawler: fix potential memory corruption
+
+if the client closes during the finalization stages of the dump we can
+crash attempting to write a final END/EN to the client buffer.
+
+---
+ crawler.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/crawler.c b/crawler.c
+index e360081..a56538b 100644
+--- a/crawler.c
++++ b/crawler.c
+@@ -291,9 +291,11 @@ static void crawler_metadump_eval(crawler_module_t *cm, item *it, uint32_t hv, i
+ 
+ static void crawler_metadump_finalize(crawler_module_t *cm) {
+     if (cm->c.c != NULL) {
+-        lru_crawler_write(&cm->c); // empty the write buffer
+-        memcpy(cm->c.buf, "END\r\n", 5);
+-        cm->c.bufused += 5;
++        // flush any pending data.
++        if (lru_crawler_write(&cm->c) == 0) {
++            memcpy(cm->c.buf, "END\r\n", 5);
++            cm->c.bufused += 5;
++        }
+     }
+ }
+ 
+@@ -328,9 +330,11 @@ static void crawler_mgdump_eval(crawler_module_t *cm, item *it, uint32_t hv, int
+ 
+ static void crawler_mgdump_finalize(crawler_module_t *cm) {
+     if (cm->c.c != NULL) {
+-        lru_crawler_write(&cm->c); // empty the write buffer
+-        memcpy(cm->c.buf, "EN\r\n", 4);
+-        cm->c.bufused += 4;
++        // flush any pending data.
++        if (lru_crawler_write(&cm->c) == 0) {
++            memcpy(cm->c.buf, "EN\r\n", 4);
++            cm->c.bufused += 4;
++        }
+     }
+ }
+ 
+@@ -350,6 +354,7 @@ static int lru_crawler_write(crawler_client_t *c) {
+ 
+         if (ret < 0) {
+             // fatal.
++            lru_crawler_close_client(c);
+             return -1;
+         }
+ 
+-- 
+2.27.0
+

memcached.spec

@@ -6,17 +6,20 @@
 %bcond_with tests
 
 Name:          memcached
-Version:       1.6.12
-Release:       2
+Version:       1.6.22
+Release:       4
 Epoch:         0
 Summary:       A high-performance, distributed memory object caching system
-License:       GPL-2.0+
+License:       BSD-3-Clause
 URL:           https://www.memcached.org/
 Source0:       https://www.memcached.org/files/memcached-%{version}.tar.gz
 Source1:       https://releases.pagure.org/memcached-selinux/memcached-selinux-1.0.2.tar.gz
 Source2:       memcached.sysconfig
 
 Patch0001:     memcached-unit.patch
+Patch0002:     fix-leak-in-config-reload.patch
+Patch0003:     fix-potential-memory-corruption.patch
+Patch0004:     CVE-2022-28805.patch
 
 BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness)
 BuildRequires: selinux-policy-devel libevent-devel make gcc
@@ -62,6 +65,9 @@ optimised for use with this version of memcached.
 %prep
 %setup -q -b 1
 %patch1 -p1 -b .unit
+%patch2 -p1 -b .reload
+%patch3 -p1 -b .corruption
+%patch4 -p1
 
 %build
 %configure \
@@ -144,6 +150,21 @@ fi
 %{_mandir}/man1/memcached.1*
 
 %changelog
+* Mon Jan 06 2025 yaoxin <1024769339@qq.com> - 0:1.6.22-4
+- Fix for lua CVE-2022-28805
+
+* Fri Jun 21 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.22-3
+- crawler: fix potential memory corruption
+
+* Thu Jun 06 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.22-2
+- proxy: fix leak in config reload
+
+* Thu Nov 02 2023 wangkai <13474090681@163.com> - 0:1.6.22-1
+- Update to 1.6.22 for fix CVE-2023-46852,CVE-2023-46853
+
+* Wed Apr 19 2023 xu_ping <707078654@qq.com> - 0:1.6.19-1
+- upgrade to 1.6.19
+
 * Mon Jan 10 2022 xu_ping <xuping33@huawei.com> - 0:1.6.12-2
 - Use policycoreutils-python3 to fix install failed