[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-24371/lua5.3 as <not-affected>

[Roberto C. Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker


Commits:
029b8925 by Roberto C. Sánchez at 2020-09-25T22:11:49-04:00
Mark CVE-2020-24371/lua5.3 as <not-affected>

This applies for both buster and stretch (same upstream release in
both).  The upstream bug page indicates that the bug exists since 5.4.0,
upstream backported the fix for CVE-2020-24370 to 5.3 but not the fix
for CVE-2020-24371, and the vulnerable code appears to have been
introduced by upstream commits e4287da3a6 and 1afd5a152d as part of
5.4.0 development.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3799,7 +3799,8 @@ CVE-2020-24372 (LuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_r
 CVE-2020-24371 (lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the ...)
 	- lua5.4 <unfixed>
 	- lua5.3 <unfixed>
-	[buster] - lua5.3 <no-dsa> (Minor issue)
+	[buster] - lua5.3 <not-affected> (Vulnerable code not present)
+	[stretch] - lua5.3 <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110
 	NOTE: https://www.lua.org/bugs.html#5.4.0-9
 CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation faul ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/029b8925e964f7936da905ddece6bfaa070d83d8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/029b8925e964f7936da905ddece6bfaa070d83d8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200926/7830475c/attachment.html>