1 files changed, 32 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch
new file mode 100644
index 000000000..cfe48af5a
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch
@@ -0,0 +1,32 @@
+CVE-2019-6706: use-after-free in lua_upvaluejoin function 
+Upstream-Status: Backport
+http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
+CVE: CVE-2019-6706
+Affects < 5.3.5
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: lua-5.3.4/src/lapi.c
+===================================================================
+--- lua-5.3.4.orig/src/lapi.c
+++ lua-5.3.4/src/lapi.c
+@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
+ 
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
+  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
+   UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
+  if (*up1 == *up2) return; /* Already joined */
+  (*up2)->refcount++;
+  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
+  luaC_upvalbarrier(L, *up2);
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+-  (*up1)->refcount++;
+-  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
+-  luaC_upvalbarrier(L, *up1);
+ }
+ 
+

diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch new file mode 100644 index 000000000..cfe48af5a --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch
@@ -0,0 +1,32 @@
	1	CVE-2019-6706: use-after-free in lua_upvaluejoin function
	2
	3	Upstream-Status: Backport
	4	http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
	5	CVE: CVE-2019-6706
	6	Affects < 5.3.5
	7	Signed-off-by: Armin Kuster <akuster@mvista.com>
	8
	9	Index: lua-5.3.4/src/lapi.c
	10	===================================================================
	11	--- lua-5.3.4.orig/src/lapi.c
	12	+++ lua-5.3.4/src/lapi.c
	13	@@ -1285,14 +1285,14 @@ LUA_API void lua_upvalueid (lua_State
	14
	15	LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
	16	int fidx2, int n2) {
	17	- LClosure *f1;
	18	- UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
	19	+ UpVal *up1 = getupvalref(L, fidx1, n1, NULL); / the last parameter not needed */
	20	UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
	21	+ if (up1 == up2) return; /* Already joined */
	22	+ (*up2)->refcount++;
	23	+ if (upisopen(up2)) (up2)->u.open.touched = 1;
	24	+ luaC_upvalbarrier(L, *up2);
	25	luaC_upvdeccount(L, *up1);
	26	up1 = up2;
	27	- (*up1)->refcount++;
	28	- if (upisopen(up1)) (up1)->u.open.touched = 1;
	29	- luaC_upvalbarrier(L, *up1);
	30	}
	31
	32