Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 831053 (CVE-2021-44647)

Summary: <dev-lang/lua-5.4.4: Local DoS in Lua 5.4.4 and 5.4.2 (CVE-2021-44647)
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: robbat2, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2021-44647
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---

Description filip ambroz 2022-01-12 07:40:40 UTC 
Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service (CVE-2021-44647)

URLs:
http://lua-users.org/lists/lua-l/2021-11/msg00195.html
http://lua-users.org/lists/lua-l/2021-11/msg00204.html
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-12 21:04:42 UTC 
(In reply to filip ambroz from comment #0)
> Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in
> funcnamefromcode function in ldebug.c which can cause a local denial of
> service (CVE-2021-44647)
> 
> URLs:
> http://lua-users.org/lists/lua-l/2021-11/msg00195.html

Patch:

> http://lua-users.org/lists/lua-l/2021-11/msg00204.html
Comment 2 Larry the Git Cow gentoo-dev 2022-02-14 04:42:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=919af65cd6e25616f2a435062cf0399669e18212

commit 919af65cd6e25616f2a435062cf0399669e18212
Author:     Ahmed Charles <me@ahmedcharles.com>
AuthorDate: 2022-02-14 04:39:27 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-02-14 04:42:13 +0000

    dev-lang/lua: 5.4.4 bump
    
    Bug: https://bugs.gentoo.org/831053
    Closes: #24027
    Signed-off-by: Ahmed Charles <me@ahmedcharles.com>
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/lua/Manifest         |   2 +
 dev-lang/lua/lua-5.4.4.ebuild | 203 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 205 insertions(+)
Comment 3 William Hubbs gentoo-dev 2022-02-14 04:43:12 UTC 
It looks to me like the linked patch is in 5.4.4.

Thanks,

William
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 02:36:56 UTC 
I can't reproduce on earlier branches, so I guess it doesn't affect them.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:02:40 UTC 
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2023-05-03 10:33:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9481b5e54d9a028a3f651d96ca46efd05ac1b3a6

commit 9481b5e54d9a028a3f651d96ca46efd05ac1b3a6
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 10:32:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 10:33:45 +0000

    [ GLSA 202305-23 ] Lua: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/520480
    Bug: https://bugs.gentoo.org/831053
    Bug: https://bugs.gentoo.org/837521
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-23.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)