[AUTO-CHERRYPICK] [AutoPR- Security] Patch sysbench for CVE-2024-25178, CVE-2024-25176 [HIGH] - branch main (microsoft#14346)

Co-authored-by: Azure Linux Security Servicing Account <[email protected]>

Author: CBL-Mariner-Bot

SPECS/sysbench/CVE-2024-25176.patch

@@ -0,0 +1,28 @@
+From 14953c5c84f417ccec620242485eb19475bc3999 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 17 Jul 2025 08:48:50 +0000
+Subject: [PATCH] Fix CVE CVE-2024-25176 in sysbench
+
+Upstream Patch Reference: https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc.patch
+---
+ third_party/luajit/luajit/src/lj_strfmt_num.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/third_party/luajit/luajit/src/lj_strfmt_num.c b/third_party/luajit/luajit/src/lj_strfmt_num.c
+index 9271f68..1d4fc7c 100644
+--- a/third_party/luajit/luajit/src/lj_strfmt_num.c
++++ b/third_party/luajit/luajit/src/lj_strfmt_num.c
+@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
+ 	    prec--;
+ 	    if (!i) {
+ 	      if (ndlo == ndhi) { prec = 0; break; }
+-	      lj_strfmt_wuint9(tail, nd[++ndlo]);
++	      ndlo = (ndlo + 1) & 0x3f;
++	      lj_strfmt_wuint9(tail, nd[ndlo]);
+ 	      i = 9;
+ 	    }
+ 	  }
+-- 
+2.45.3
+

SPECS/sysbench/CVE-2024-25178.patch

@@ -0,0 +1,26 @@
+From 19dd1c43f8f6e28a8176d4f8417b9d7dbba681f1 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 17 Jul 2025 08:48:57 +0000
+Subject: [PATCH] Fix CVE CVE-2024-25178 in sysbench
+
+Upstream Patch Reference: https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8.patch
+---
+ third_party/luajit/luajit/src/lj_debug.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/third_party/luajit/luajit/src/lj_debug.c b/third_party/luajit/luajit/src/lj_debug.c
+index 959dc28..11fe3f1 100644
+--- a/third_party/luajit/luajit/src/lj_debug.c
++++ b/third_party/luajit/luajit/src/lj_debug.c
+@@ -63,6 +63,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
+     if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf))
+       return NO_BCPOS;
+     ins = cframe_pc(cf);  /* Only happens during error/hook handling. */
++    if (!ins) return NO_BCPOS;
+   } else {
+     if (frame_islua(nextframe)) {
+       ins = frame_pc(nextframe);
+-- 
+2.45.3
+

SPECS/sysbench/sysbench.spec

@@ -1,12 +1,14 @@
 Summary:        Scriptable database and system performance benchmark
 Name:           sysbench
 Version:        1.0.20
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2+
 Group:          Applications/System
 URL:            https://github.com/akopytov/sysbench/
 Source0:        https://github.com/akopytov/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
 Patch0:         enable-python3.patch
+Patch1:         CVE-2024-25178.patch
+Patch2:         CVE-2024-25176.patch
 BuildRequires:  automake
 BuildRequires:  libaio-devel
 BuildRequires:  libtool
@@ -59,6 +61,9 @@ rm -f %{buildroot}%{_docdir}/sysbench/manual.html
 %{_datadir}/%{name}
 
 %changelog
+* Thu Jul 17 2025 Azure Linux Security Servicing Account <[email protected]> - 1.0.20-3
+- Patch for CVE-2024-25178, CVE-2024-25176
+
 * Wed Jul 27 2022 Sean Dougherty <[email protected]> - 1.0.20-2
 - Added patch 'enable-python3' to fix issue with running tests on Python3.