Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 737912 (CVE-2020-24372) - <dev-lang/luajit-2.1.0_beta3_p20220127: Out of bounds read vulnerability (CVE-2020-24372)
Summary: <dev-lang/luajit-2.1.0_beta3_p20220127: Out of bounds read vulnerability (CVE...
Status: RESOLVED FIXED
Alias: CVE-2020-24372
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/LuaJIT/LuaJIT/issu...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-18 15:55 UTC by John Helmert III
Modified: 2022-08-14 23:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-18 15:55:39 UTC 
CVE-2020-24372:

LuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_run in lj_err.c.

Looks like a pair of patches fix this, according to the issue:

https://github.com/LuaJIT/LuaJIT/commit/12ab596997b9cb27846a5b254d11230c3f9c50c8
https://github.com/LuaJIT/LuaJIT/commit/e296f56b825c688c3530a981dc6b495d972f3d01


Maintainer, please apply these patches or advise if they are not sufficient.
Comment 1 Rafael Martins (RETIRED) gentoo-dev 2020-08-18 19:49:02 UTC 
patches require some backport work, will apply them asap
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-10 16:41:34 UTC 
ping
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 23:29:50 UTC 
Patches made their way into our releases a while ago, once beta3 snapshots were added. This is only an OOB read, in a language interpreter, so no GLSA. All done!