[AUTO-CHERRYPICK] [Medium] patch ntopng to fix CVE-2021-44647 and CVE…

…-2021-43519 - branch 3.0-dev (#12332)

Co-authored-by: jykanase <v-jykanase@microsoft.com>

SPECS/ntopng/CVE-2021-43519.patch

@@ -0,0 +1,39 @@
+From e4eacd26f6a534e2128d513469217889283d8b7d Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Thu, 6 Feb 2025 11:25:29 +0000
+Subject: [PATCH] CVE-2021-43519
+
+---
+ third-party/lua-5.4.3/src/ldo.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/third-party/lua-5.4.3/src/ldo.c b/third-party/lua-5.4.3/src/ldo.c
+index d81e731..fc5a167 100644
+--- a/third-party/lua-5.4.3/src/ldo.c
++++ b/third-party/lua-5.4.3/src/ldo.c
+@@ -728,11 +728,10 @@ static void resume (lua_State *L, void *ud) {
+   StkId firstArg = L->top - n;  /* first argument */
+   CallInfo *ci = L->ci;
+   if (L->status == LUA_OK)  /* starting a coroutine? */
+-    ccall(L, firstArg - 1, LUA_MULTRET, 1);  /* just call its body */
++    ccall(L, firstArg - 1, LUA_MULTRET, 0);  /* just call its body */
+   else {  /* resuming from previous yield */
+     lua_assert(L->status == LUA_YIELD);
+     L->status = LUA_OK;  /* mark that it is running (again) */
+-    luaE_incCstack(L);  /* control the C stack */
+     if (isLua(ci)) {  /* yielded inside a hook? */
+       L->top = firstArg;  /* discard arguments */
+       luaV_execute(L, ci);  /* just continue running Lua code */
+@@ -783,6 +782,9 @@ LUA_API int lua_resume (lua_State *L, lua_State *from, int nargs,
+   else if (L->status != LUA_YIELD)  /* ended with errors? */
+     return resume_error(L, "cannot resume dead coroutine", nargs);
+   L->nCcalls = (from) ? getCcalls(from) : 0;
++  if (getCcalls(L) >= LUAI_MAXCCALLS)
++    return resume_error(L, "C stack overflow", nargs);
++  L->nCcalls++;
+   luai_userstateresume(L, nargs);
+   api_checknelems(L, (L->status == LUA_OK) ? nargs + 1 : nargs);
+   status = luaD_rawrunprotected(L, resume, &nargs);
+-- 
+2.45.2
+

SPECS/ntopng/CVE-2021-44647.patch

@@ -0,0 +1,25 @@
+From 4c1a24d4494156007879399032bfe551d78c1932 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Thu, 6 Feb 2025 07:11:57 +0000
+Subject: [PATCH] CVE-2021-44647
+
+Source Link: https://github.com/lua/lua/commit/1de95e97ef65632a88e08b6184bd9d1ceba7ec2f
+---
+ third-party/lua-5.4.3/src/lstate.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/third-party/lua-5.4.3/src/lstate.c b/third-party/lua-5.4.3/src/lstate.c
+index c5e3b43..38da773 100644
+--- a/third-party/lua-5.4.3/src/lstate.c
++++ b/third-party/lua-5.4.3/src/lstate.c
+@@ -271,6 +271,7 @@ static void close_state (lua_State *L) {
+   if (!completestate(g))  /* closing a partially built state? */
+     luaC_freeallobjects(L);  /* jucst collect its objects */
+   else {  /* closing a fully built state */
++    L->ci = &L->base_ci;  /* unwind CallInfo list */
+     luaD_closeprotected(L, 1, LUA_OK);  /* close all upvalues */
+     luaC_freeallobjects(L);  /* collect all objects */
+     luai_userstateclose(L);
+-- 
+2.45.2
+

SPECS/ntopng/ntopng.spec

@@ -2,7 +2,7 @@
 Summary:        Web-based Network Traffic Monitoring Application
 Name:           ntopng
 Version:        5.2.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -16,6 +16,8 @@ Patch1:         CVE-2021-45985.patch
 Patch2:         CVE-2022-28805.patch
 Patch3:         CVE-2017-18214.patch
 Patch4:         CVE-2022-33099.patch
+Patch5:         CVE-2021-44647.patch
+Patch6:         CVE-2021-43519.patch
 BuildRequires:  curl-devel
 BuildRequires:  gcc
 BuildRequires:  glib-devel
@@ -65,6 +67,9 @@ mv nDPI-%{nDPIver} nDPI
 %{_datadir}/ntopng/*
 
 %changelog
+* Thu Feb 06 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 5.2.1-5
+- Patch to fix CVE-2021-44647 and CVE-2021-43519.
+
 * Mon Jul 08 2024 Andrew Phelps <anphel@microsoft.com> - 5.2.1-4
 - Add patches for CVE-2017-18214 and CVE-2022-33099