CVE-2022-28805 (https://lua-users.org/lists/lua-l/2022-02/msg00001.html): singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code. Patch: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fb0d3e7e9eafdd19a6931dce5948016ddc351e0 commit 4fb0d3e7e9eafdd19a6931dce5948016ddc351e0 Author: Federico Denkena <federico.denkena@posteo.de> AuthorDate: 2022-09-26 15:43:34 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2022-09-26 15:43:34 +0000 dev-lang/lua: Fix for CVE-2022-28805 This commit fixes CVE-2022-28805 (patch from upstream, slightly modified due to changed file paths in gentoo). Closes: https://github.com/gentoo/gentoo/pull/27423 Bug: https://bugs.gentoo.org/837521 Signed-off-by: Federico Denkena <federico.denkena@posteo.de> Signed-off-by: David Seifert <soap@gentoo.org> .../lua/files/lua-5.4.4-lparser-overread.patch | 34 ++++++++++++++++++++++ ...lua-5.4.4-r102.ebuild => lua-5.4.4-r103.ebuild} | 4 +++ 2 files changed, 38 insertions(+)
Does this affect the other branches?
I suppose we'll treat this as affecting only 5.4.x.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9481b5e54d9a028a3f651d96ca46efd05ac1b3a6 commit 9481b5e54d9a028a3f651d96ca46efd05ac1b3a6 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 10:32:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 10:33:45 +0000 [ GLSA 202305-23 ] Lua: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/520480 Bug: https://bugs.gentoo.org/831053 Bug: https://bugs.gentoo.org/837521 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-23.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+)