Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835340 (CVE-2021-44964) - dev-lang/lua: UAF leading to sandbox escape
Summary: dev-lang/lua: UAF leading to sandbox escape
Status: CONFIRMED
Alias: CVE-2021-44964
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/Lua-Project/lua-5....
Whiteboard: B2 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-15 15:36 UTC by John Helmert III
Modified: 2022-10-14 02:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-15 15:36:32 UTC
CVE-2021-44964:

Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.

http://lua-users.org/lists/lua-l/2021-11/msg00186.html
http://lua-users.org/lists/lua-l/2021-12/msg00007.html
http://lua-users.org/lists/lua-l/2021-12/msg00015.html
http://lua-users.org/lists/lua-l/2021-12/msg00030.html

Can't tell if any patch exists or if one has made it into any release.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 02:45:21 UTC
Bunch of discussion about a patch, but none seems to have made it into lua.git