CVE-2022-33099 (https://lua-users.org/lists/lua-l/2022-05/msg00073.html): An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs. According to the upstream changelog at https://www.lua.org/bugs.html , this was introduced in 5.4.2. Patch on Github (which appears to not be in any tags): https://github.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf
AFAICT the fix is included in releases 5.4.5 and 5.4.6.
(In reply to Thomas Bracht Laumann Jespersen from comment #1) > AFAICT the fix is included in releases 5.4.5 and 5.4.6. Where are the patches?
It should be the patch mentioned in comment 0. github indicates that it's included in 5.4.5 and 5.4.6. Unless I'm misunderstanding, and the linked patch is the one introducing the vuln.
Ah, indeed you're right, I hadn't noticed the patch had made it into a release, sorry!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66baf9c626901c7195a3f6e136e60dd1a562ea4d commit 66baf9c626901c7195a3f6e136e60dd1a562ea4d Author: David Seifert <soap@gentoo.org> AuthorDate: 2023-07-16 10:32:22 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2023-07-16 10:32:22 +0000 dev-lang/lua: add 5.4.6 Bug: https://bugs.gentoo.org/856463 Signed-off-by: David Seifert <soap@gentoo.org> dev-lang/lua/Manifest | 1 + dev-lang/lua/lua-5.4.6.ebuild | 50 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+)
Hm, presumably the older branches are affected too, though?