Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 837521 (CVE-2022-28805) - <dev-lang/lua-5.4.4-r103: heap buffer overread
Summary: <dev-lang/lua-5.4.4-r103: heap buffer overread
Status: RESOLVED FIXED
Alias: CVE-2022-28805
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa+]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-04-09 17:34 UTC by John Helmert III
Modified: 2023-05-03 11:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 17:34:45 UTC 
CVE-2022-28805 (https://lua-users.org/lists/lua-l/2022-02/msg00001.html):

singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.

Patch: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
Comment 1 Larry the Git Cow gentoo-dev 2022-09-26 15:43:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fb0d3e7e9eafdd19a6931dce5948016ddc351e0

commit 4fb0d3e7e9eafdd19a6931dce5948016ddc351e0
Author:     Federico Denkena <federico.denkena@posteo.de>
AuthorDate: 2022-09-26 15:43:34 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2022-09-26 15:43:34 +0000

    dev-lang/lua: Fix for CVE-2022-28805
    
    This commit fixes CVE-2022-28805 (patch from upstream, slightly modified
    due to changed file paths in gentoo).
    
    Closes: https://github.com/gentoo/gentoo/pull/27423
    Bug: https://bugs.gentoo.org/837521
    Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
    Signed-off-by: David Seifert <soap@gentoo.org>

 .../lua/files/lua-5.4.4-lparser-overread.patch     | 34 ++++++++++++++++++++++
 ...lua-5.4.4-r102.ebuild => lua-5.4.4-r103.ebuild} |  4 +++
 2 files changed, 38 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 18:00:10 UTC 
Does this affect the other branches?
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 02:47:28 UTC 
I suppose we'll treat this as affecting only 5.4.x.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:02:50 UTC 
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2023-05-03 10:33:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9481b5e54d9a028a3f651d96ca46efd05ac1b3a6

commit 9481b5e54d9a028a3f651d96ca46efd05ac1b3a6
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 10:32:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 10:33:45 +0000

    [ GLSA 202305-23 ] Lua: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/520480
    Bug: https://bugs.gentoo.org/831053
    Bug: https://bugs.gentoo.org/837521
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-23.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)