[AUTO-CHERRYPICK] [AutoPR- Security] Patch luajit for CVE-2024-25178, CVE-2024-25176 [HIGH] - branch main (microsoft#14347)

CBL-Mariner-Bot · azurelinux-security · web-flow · commit acf7ffc438e4 · 2025-07-21T15:43:03.000-04:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
diff --git a/SPECS/luajit/CVE-2024-25176.patch b/SPECS/luajit/CVE-2024-25176.patch
@@ -0,0 +1,28 @@
+From 89b607c36aeccb3ed78f6c509747b255f3441cd7 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Thu, 17 Jul 2025 08:57:04 +0000
+Subject: [PATCH] Fix CVE CVE-2024-25176 in luajit
+
+Upstream Patch Reference: https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc.patch
+---
+ src/lj_strfmt_num.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
+index 9271f68..1d4fc7c 100644
+--- a/src/lj_strfmt_num.c
++++ b/src/lj_strfmt_num.c
+@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
+ 	    prec--;
+ 	    if (!i) {
+ 	      if (ndlo == ndhi) { prec = 0; break; }
+-	      lj_strfmt_wuint9(tail, nd[++ndlo]);
++	      ndlo = (ndlo + 1) & 0x3f;
++	      lj_strfmt_wuint9(tail, nd[ndlo]);
+ 	      i = 9;
+ 	    }
+ 	  }
+-- 
+2.45.3
+
diff --git a/SPECS/luajit/CVE-2024-25178.patch b/SPECS/luajit/CVE-2024-25178.patch
@@ -0,0 +1,26 @@
+From 830d971585c64132da43f722e563d1557f94eb9b Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Thu, 17 Jul 2025 08:57:12 +0000
+Subject: [PATCH] Fix CVE CVE-2024-25178 in luajit
+
+Upstream Patch Reference: https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8.patch
+---
+ src/lj_debug.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lj_debug.c b/src/lj_debug.c
+index 959dc28..11fe3f1 100644
+--- a/src/lj_debug.c
++++ b/src/lj_debug.c
+@@ -63,6 +63,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
+     if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf))
+       return NO_BCPOS;
+     ins = cframe_pc(cf);  /* Only happens during error/hook handling. */
++    if (!ins) return NO_BCPOS;
+   } else {
+     if (frame_islua(nextframe)) {
+       ins = frame_pc(nextframe);
+-- 
+2.45.3
+
diff --git a/SPECS/luajit/luajit.spec b/SPECS/luajit/luajit.spec
@@ -5,7 +5,7 @@ Name:           luajit
 Version:        2.1.0
 %global apiver %(v=%{version}; echo ${v%.${v#[0-9].[0-9].}})
 %global srcver %{version}%{?rctag:-%{rctag}}
-Release:        26%{?dist}
+Release:        27%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -19,6 +19,8 @@ Patch0: luajit-2.1-update.patch
 # Patches from https://github.com/cryptomilk/LuaJIT/commits/v2.1-fedora
 # git format-patch --stdout -l1 --no-renames v2.1..v2.1-fedora > luajit-2.1-fedora.patch
 Patch1: luajit-2.1-fedora.patch
+Patch2:         CVE-2024-25178.patch
+Patch3:         CVE-2024-25176.patch
 
 BuildRequires:  gcc
 BuildRequires:  make
@@ -94,6 +96,9 @@ make check || true
 %{_libdir}/pkgconfig/%{name}.pc
 
 %changelog
+* Thu Jul 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.1.0-27
+- Patch for CVE-2024-25178, CVE-2024-25176
+
 * Fri Jan 27 2023 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 2.1.0-26
 - Initial CBL-Mariner import from Fedora 38 (license: MIT).
 - Verified license.
