CVE-2019-6706 (https://nvd.nist.gov/vuln/detail/CVE-2019-6706): Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships. ---- Ubuntu have applied this patch: https://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0.18.10.1.diff.gz (viewable in browser)
ping
CVE-2020-15889: Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free. CVE-2020-15888: Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.
* CVE-2020-15945 "Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function." http://lua-users.org/lists/lua-l/2020-07/msg00123.html https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3
(In reply to John Helmert III (ajak) from comment #2) > CVE-2020-15889: > > Lua through 5.4.0 mishandles the interaction between stack resizes and > garbage collection, leading to a heap-based buffer overflow, heap-based > buffer over-read, or use-after-free. Patch: https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312 > CVE-2020-15888: > > Lua through 5.4.0 has a getobjname heap-based buffer over-read because > youngcollection in lgc.c uses markold for an insufficient number of list > members. Patches: https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7 https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5 CVE-2020-24342: Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row. Patch: https://github.com/lua/lua/commit/34affe7a63fc5d842580a9f23616d057e17dfe27
CVE-2020-24369: ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference. Patch: https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a CVE-2020-24370: ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31). Patch: https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b CVE-2020-24371: lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage. Patch: https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110
sam: 1. Lua 5.4 is not yet packaged in Gentoo, CVEs that affect only 5.4 (and not older series) don't impact us. 2. Upstream does not make further point releases in old series, making this harder to roll quickly
