[AUTO-CHERRYPICK] [AutoPR- Security] Patch sysbench for CVE-2024-25178, CVE-2024-25176 [HIGH] - branch 3.0-dev (microsoft#14339)

Co-authored-by: Azure Linux Security Servicing Account <[email protected]>

Author: CBL-Mariner-Bot

SPECS/sysbench/CVE-2024-25176.patch

@@ -0,0 +1,28 @@
+From 6d48b3888b46553d021d3d43e5cbbd86a5fa0a94 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 17 Jul 2025 08:42:39 +0000
+Subject: [PATCH] Fix CVE CVE-2024-25176 in sysbench
+
+Upstream Patch Reference: https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc.patch
+---
+ third_party/luajit/luajit/src/lj_strfmt_num.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/third_party/luajit/luajit/src/lj_strfmt_num.c b/third_party/luajit/luajit/src/lj_strfmt_num.c
+index 9271f68..1d4fc7c 100644
+--- a/third_party/luajit/luajit/src/lj_strfmt_num.c
++++ b/third_party/luajit/luajit/src/lj_strfmt_num.c
+@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
+ 	    prec--;
+ 	    if (!i) {
+ 	      if (ndlo == ndhi) { prec = 0; break; }
+-	      lj_strfmt_wuint9(tail, nd[++ndlo]);
++	      ndlo = (ndlo + 1) & 0x3f;
++	      lj_strfmt_wuint9(tail, nd[ndlo]);
+ 	      i = 9;
+ 	    }
+ 	  }
+-- 
+2.45.3
+

SPECS/sysbench/CVE-2024-25178.patch

@@ -0,0 +1,26 @@
+From 9c8487d3b1aa90b6bd801bdda1b9843159088aaf Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 17 Jul 2025 08:42:47 +0000
+Subject: [PATCH] Fix CVE CVE-2024-25178 in sysbench
+
+Upstream Patch Reference: https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8.patch
+---
+ third_party/luajit/luajit/src/lj_debug.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/third_party/luajit/luajit/src/lj_debug.c b/third_party/luajit/luajit/src/lj_debug.c
+index 8319fa1..fc1f15a 100644
+--- a/third_party/luajit/luajit/src/lj_debug.c
++++ b/third_party/luajit/luajit/src/lj_debug.c
+@@ -63,6 +63,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
+     if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf))
+       return NO_BCPOS;
+     ins = cframe_pc(cf);  /* Only happens during error/hook handling. */
++    if (!ins) return NO_BCPOS;
+   } else {
+     if (frame_islua(nextframe)) {
+       ins = frame_pc(nextframe);
+-- 
+2.45.3
+

SPECS/sysbench/sysbench.spec

@@ -1,7 +1,7 @@
 Summary:        Scriptable database and system performance benchmark
 Name:           sysbench
 Version:        1.0.20
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2+
 Group:          Applications/System
 URL:            https://github.com/akopytov/sysbench/
@@ -11,6 +11,8 @@ Source0:        https://github.com/akopytov/%{name}/archive/%{version}/%{name}-%
 Patch0:         enable-python3.patch
 Patch1:         CVE-2019-19391.patch
 Patch2:         sysbench-1.0.20-fix_deprecated_egrep_call.patch
+Patch3:         CVE-2024-25178.patch
+Patch4:         CVE-2024-25176.patch
 
 BuildRequires:  automake
 BuildRequires:  libaio-devel
@@ -64,6 +66,9 @@ rm -f %{buildroot}%{_docdir}/sysbench/manual.html
 %{_datadir}/%{name}
 
 %changelog
+* Thu Jul 17 2025 Azure Linux Security Servicing Account <[email protected]> - 1.0.20-6
+- Patch for CVE-2024-25178, CVE-2024-25176
+
 * Wed Apr 02 2025 Kanishk Bansal <[email protected]> - 1.0.20-5
 - Fix ptest by adding a patch to replace deprecated egrep with grep -E.