Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 837521 (CVE-2022-28805)

Summary: <dev-lang/lua-5.4.4-r103: heap buffer overread
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: robbat2, williamh
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/27423
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 17:34:45 UTC 
CVE-2022-28805 (https://lua-users.org/lists/lua-l/2022-02/msg00001.html):

singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.

Patch: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
Comment 1 Larry the Git Cow gentoo-dev 2022-09-26 15:43:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fb0d3e7e9eafdd19a6931dce5948016ddc351e0

commit 4fb0d3e7e9eafdd19a6931dce5948016ddc351e0
Author:     Federico Denkena <federico.denkena@posteo.de>
AuthorDate: 2022-09-26 15:43:34 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2022-09-26 15:43:34 +0000

    dev-lang/lua: Fix for CVE-2022-28805
    
    This commit fixes CVE-2022-28805 (patch from upstream, slightly modified
    due to changed file paths in gentoo).
    
    Closes: https://github.com/gentoo/gentoo/pull/27423
    Bug: https://bugs.gentoo.org/837521
    Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
    Signed-off-by: David Seifert <soap@gentoo.org>

 .../lua/files/lua-5.4.4-lparser-overread.patch     | 34 ++++++++++++++++++++++
 ...lua-5.4.4-r102.ebuild => lua-5.4.4-r103.ebuild} |  4 +++
 2 files changed, 38 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 18:00:10 UTC 
Does this affect the other branches?
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 02:47:28 UTC 
I suppose we'll treat this as affecting only 5.4.x.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:02:50 UTC 
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2023-05-03 10:33:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9481b5e54d9a028a3f651d96ca46efd05ac1b3a6

commit 9481b5e54d9a028a3f651d96ca46efd05ac1b3a6
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 10:32:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 10:33:45 +0000

    [ GLSA 202305-23 ] Lua: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/520480
    Bug: https://bugs.gentoo.org/831053
    Bug: https://bugs.gentoo.org/837521
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-23.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)