Merge pull request #73859 from ckauhaus/lua-5.3-CVE-2019-6706

lua-5.3: add patch for CVE-2019-6706

pkgs/development/interpreters/lua-5/CVE-2019-6706.patch

@@ -0,0 +1,22 @@
+--- a/src/lapi.c
++++ b/src/lapi.c
+@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
+ 
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
++  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
+   UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
++  if (*up1 == *up2) return; /* Already joined */
++  (*up2)->refcount++;
++  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
++  luaC_upvalbarrier(L, *up2);
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+-  (*up1)->refcount++;
+-  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
+-  luaC_upvalbarrier(L, *up1);
+ }
+ 
+ 

pkgs/development/interpreters/lua-5/default.nix

@@ -1,5 +1,5 @@
 # similar to interpreters/python/default.nix
-{ stdenv, lib, callPackage, fetchurl }:
+{ stdenv, lib, callPackage, fetchurl, fetchpatch }:
 let
   dsoPatch51 = fetchurl {
     url = "https://projects.archlinux.org/svntogit/packages.git/plain/trunk/lua-arch.patch?h=packages/lua51";
@@ -18,7 +18,10 @@ in rec {
   lua5_3 = callPackage ./interpreter.nix {
     sourceVersion = { major = "5"; minor = "3"; patch = "5"; };
     hash = "0c2eed3f960446e1a3e4b9a1ca2f3ff893b6ce41942cf54d5dd59ab4b3b058ac";
-    patches = lib.optionals stdenv.isDarwin [ ./5.2.darwin.patch ] ;
+    patches =
+      lib.optionals stdenv.isDarwin [ ./5.2.darwin.patch ] ++ [
+        ./CVE-2019-6706.patch
+      ];
     postConfigure = lib.optionalString (!stdenv.isDarwin) ''
       cat ${./lua-5.3-dso.make} >> src/Makefile
       sed -e 's/ALL_T *= */& $(LUA_SO)/' -i src/Makefile