Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 837521 (CVE-2022-28805) - <dev-lang/lua-5.4.4-r103: heap buffer overread
Summary: <dev-lang/lua-5.4.4-r103: heap buffer overread
Status: IN_PROGRESS
Alias: CVE-2022-28805
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-04-09 17:34 UTC by John Helmert III
Modified: 2022-10-14 03:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 17:34:45 UTC
CVE-2022-28805 (https://lua-users.org/lists/lua-l/2022-02/msg00001.html):

singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.

Patch: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
Comment 1 Larry the Git Cow gentoo-dev 2022-09-26 15:43:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fb0d3e7e9eafdd19a6931dce5948016ddc351e0

commit 4fb0d3e7e9eafdd19a6931dce5948016ddc351e0
Author:     Federico Denkena <federico.denkena@posteo.de>
AuthorDate: 2022-09-26 15:43:34 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2022-09-26 15:43:34 +0000

    dev-lang/lua: Fix for CVE-2022-28805
    
    This commit fixes CVE-2022-28805 (patch from upstream, slightly modified
    due to changed file paths in gentoo).
    
    Closes: https://github.com/gentoo/gentoo/pull/27423
    Bug: https://bugs.gentoo.org/837521
    Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
    Signed-off-by: David Seifert <soap@gentoo.org>

 .../lua/files/lua-5.4.4-lparser-overread.patch     | 34 ++++++++++++++++++++++
 ...lua-5.4.4-r102.ebuild => lua-5.4.4-r103.ebuild} |  4 +++
 2 files changed, 38 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 18:00:10 UTC
Does this affect the other branches?
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 02:47:28 UTC
I suppose we'll treat this as affecting only 5.4.x.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:02:50 UTC
GLSA request filed