| Summary: | <dev-lang/lua-5.4.6: heap buffer overflow in recursive errors | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | minor | CC: | robbat2, t, williamh |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lua-users.org/lists/lua-l/2022-05/msg00035.html | ||
| Whiteboard: | B3 [glsa? cleanup] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 914335 | ||
| Bug Blocks: | |||
|
Description
John Helmert III
2022-07-05 01:59:38 UTC
AFAICT the fix is included in releases 5.4.5 and 5.4.6. (In reply to Thomas Bracht Laumann Jespersen from comment #1) > AFAICT the fix is included in releases 5.4.5 and 5.4.6. Where are the patches? It should be the patch mentioned in comment 0. github indicates that it's included in 5.4.5 and 5.4.6. Unless I'm misunderstanding, and the linked patch is the one introducing the vuln. Ah, indeed you're right, I hadn't noticed the patch had made it into a release, sorry! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66baf9c626901c7195a3f6e136e60dd1a562ea4d commit 66baf9c626901c7195a3f6e136e60dd1a562ea4d Author: David Seifert <soap@gentoo.org> AuthorDate: 2023-07-16 10:32:22 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2023-07-16 10:32:22 +0000 dev-lang/lua: add 5.4.6 Bug: https://bugs.gentoo.org/856463 Signed-off-by: David Seifert <soap@gentoo.org> dev-lang/lua/Manifest | 1 + dev-lang/lua/lua-5.4.6.ebuild | 50 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) Hm, presumably the older branches are affected too, though? |