diff --git a/SOURCES/lua-5.4.2-CVE-2022-33099.patch b/SOURCES/lua-5.4.2-CVE-2022-33099.patch
new file mode 100644
index 0000000..1a2ba97
--- /dev/null
+++ b/SOURCES/lua-5.4.2-CVE-2022-33099.patch
@@ -0,0 +1,51 @@
+diff -up lua-5.4.2/src/ldebug.c.orig lua-5.4.2/src/ldebug.c
+--- lua-5.4.2/src/ldebug.c.orig 2020-11-13 16:32:00.000000000 +0100
++++ lua-5.4.2/src/ldebug.c 2022-10-21 14:35:02.200941813 +0200
+@@ -772,8 +772,11 @@ l_noret luaG_runerror (lua_State *L, con
+ va_start(argp, fmt);
+ msg = luaO_pushvfstring(L, fmt, argp); /* format message */
+ va_end(argp);
+- if (isLua(ci)) /* if Lua function, add source:line information */
++ if (isLua(ci)) { /* if Lua function, add source:line information */
+ luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci));
++ setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */
++ L->top--;
++ }
+ luaG_errormsg(L);
+ }
+
+diff -up lua-5.4.2/src/lvm.c.orig lua-5.4.2/src/lvm.c
+--- lua-5.4.2/src/lvm.c.orig 2020-11-13 16:32:02.000000000 +0100
++++ lua-5.4.2/src/lvm.c 2022-10-21 14:35:31.713755890 +0200
+@@ -641,7 +641,7 @@ void luaV_concat (lua_State *L, int tota
+ int n = 2; /* number of elements handled in this pass (at least 2) */
+ if (!(ttisstring(s2v(top - 2)) || cvt2str(s2v(top - 2))) ||
+ !tostring(L, s2v(top - 1)))
+- luaT_tryconcatTM(L);
++ luaT_tryconcatTM(L); /* may invalidate 'top' */
+ else if (isemptystr(s2v(top - 1))) /* second operand is empty? */
+ cast_void(tostring(L, s2v(top - 2))); /* result is first operand */
+ else if (isemptystr(s2v(top - 2))) { /* first operand is empty string? */
+@@ -654,8 +654,10 @@ void luaV_concat (lua_State *L, int tota
+ /* collect total length and number of strings */
+ for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
+ size_t l = vslen(s2v(top - n - 1));
+- if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl))
++ if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
++ L->top = top - total; /* pop strings to avoid wasting stack */
+ luaG_runerror(L, "string length overflow");
++ }
+ tl += l;
+ }
+ if (tl <= LUAI_MAXSHORTLEN) { /* is result a short string? */
+@@ -669,8 +671,8 @@ void luaV_concat (lua_State *L, int tota
+ }
+ setsvalue2s(L, top - n, ts); /* create result */
+ }
+- total -= n-1; /* got 'n' strings to create 1 new */
+- L->top -= n-1; /* popped 'n' strings and pushed one */
++ total -= n - 1; /* got 'n' strings to create one new */
++ L->top -= n - 1; /* popped 'n' strings and pushed one */
+ } while (total > 1); /* repeat until only 1 result left */
+ }
+
diff --git a/SPECS/lua.spec b/SPECS/lua.spec
index b224523..574795d 100644
--- a/SPECS/lua.spec
+++ b/SPECS/lua.spec
@@ -14,7 +14,7 @@
Name: lua
Version: %{major_version}.2
-Release: 4%{?dist}
+Release: 4%{?dist}.3
Summary: Powerful light-weight programming language
License: MIT
URL: http://www.lua.org/
@@ -38,6 +38,7 @@ Patch6: %{name}-5.3.5-luac-shared-link-fix.patch
%endif
# https://www.lua.org/bugs.html
Patch18: %{name}-5.3.5-CVE-2020-24370.patch
+Patch19: %{name}-5.4.2-CVE-2022-33099.patch
BuildRequires: automake autoconf libtool readline-devel ncurses-devel
BuildRequires: make
@@ -92,6 +93,7 @@ mv src/luaconf.h src/luaconf.h.template.in
#%% patch2 -p1 -z .luac-shared
%patch3 -p1 -z .configure-linux
%patch4 -p1 -z .configure-compat-all
+%patch19 -p1 -b .CVE-2022-33099
# Put proper version in configure.ac, patch0 hardcodes 5.3.0
sed -i 's|5.3.0|%{version}|g' configure.ac
autoreconf -ifv
@@ -209,6 +211,15 @@ popd
%{_libdir}/*.a
%changelog
+* Fri Oct 21 2022 Michal Domonkos <mdomonko@redhat.com> - 5.4.2-4.3
+- Fix up CVE-2022-33099 patch
+
+* Mon Oct 17 2022 Michal Domonkos <mdomonko@redhat.com> - 5.4.2-4.2
+- Enable gating
+
+* Mon Oct 17 2022 Michal Domonkos <mdomonko@redhat.com> - 5.4.2-4.1
+- apply upstream fix for CVE-2022-33099
+
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 5.4.2-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688