831053 – (CVE-2021-44647) <dev-lang/lua-5.4.4: Local DoS in Lua 5.4.4 and 5.4.2 (CVE-2021-44647)

Bug 831053 (CVE-2021-44647) - <dev-lang/lua-5.4.4: Local DoS in Lua 5.4.4 and 5.4.2 (CVE-2021-44647)

Summary: <dev-lang/lua-5.4.4: Local DoS in Lua 5.4.4 and 5.4.2 (CVE-2021-44647)

Status:	RESOLVED FIXED

Alias:	CVE-2021-44647

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2022-01-12 07:40 UTC by filip ambroz
Modified:	2023-05-03 11:17 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description filip ambroz 2022-01-12 07:40:40 UTC

Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service (CVE-2021-44647)

URLs:
http://lua-users.org/lists/lua-l/2021-11/msg00195.html
http://lua-users.org/lists/lua-l/2021-11/msg00204.html

Comment 1 John Helmert III archtester

2022-01-12 21:04:42 UTC

(In reply to filip ambroz from comment #0)
> Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in
> funcnamefromcode function in ldebug.c which can cause a local denial of
> service (CVE-2021-44647)
> 
> URLs:
> http://lua-users.org/lists/lua-l/2021-11/msg00195.html

Patch:

> http://lua-users.org/lists/lua-l/2021-11/msg00204.html

Comment 2 Larry the Git Cow gentoo-dev

2022-02-14 04:42:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=919af65cd6e25616f2a435062cf0399669e18212

commit 919af65cd6e25616f2a435062cf0399669e18212
Author:     Ahmed Charles <me@ahmedcharles.com>
AuthorDate: 2022-02-14 04:39:27 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-02-14 04:42:13 +0000

    dev-lang/lua: 5.4.4 bump
    
    Bug: https://bugs.gentoo.org/831053
    Closes: #24027
    Signed-off-by: Ahmed Charles <me@ahmedcharles.com>
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 dev-lang/lua/Manifest         |   2 +
 dev-lang/lua/lua-5.4.4.ebuild | 203 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 205 insertions(+)

Comment 3 William Hubbs gentoo-dev

2022-02-14 04:43:12 UTC

It looks to me like the linked patch is in 5.4.4.

Thanks,

William

Comment 4 John Helmert III archtester

2022-10-14 02:36:56 UTC

I can't reproduce on earlier branches, so I guess it doesn't affect them.

Comment 5 John Helmert III archtester

2022-10-14 03:02:40 UTC

GLSA request filed

Comment 6 Larry the Git Cow gentoo-dev

2023-05-03 10:33:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9481b5e54d9a028a3f651d96ca46efd05ac1b3a6

commit 9481b5e54d9a028a3f651d96ca46efd05ac1b3a6
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 10:32:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 10:33:45 +0000

    [ GLSA 202305-23 ] Lua: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/520480
    Bug: https://bugs.gentoo.org/831053
    Bug: https://bugs.gentoo.org/837521
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-23.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)