Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a
crash outcome might be achieved by an attacker who is able to trigger a
debug.upvaluejoin call in which the arguments have certain relationships.
Ubuntu have applied this patch: https://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0.18.10.1.diff.gz (viewable in browser)
Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.
Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.
"Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function."
(In reply to John Helmert III (ajak) from comment #2)
> Lua through 5.4.0 mishandles the interaction between stack resizes and
> garbage collection, leading to a heap-based buffer overflow, heap-based
> buffer over-read, or use-after-free.
> Lua through 5.4.0 has a getobjname heap-based buffer over-read because
> youngcollection in lgc.c uses markold for an insufficient number of list
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.
ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.
1. Lua 5.4 is not yet packaged in Gentoo, CVEs that affect only 5.4 (and not older series) don't impact us.
2. Upstream does not make further point releases in old series, making this harder to roll quickly
Since 5.4.0 does not exist in tree anymore, does this still apply to 5.4.2?