[pkg-lua-devel] Bug#1014935: Bug#1014935: lua5.4: CVE-2022-33099
Sergei Golovan
sgolovan at gmail.com
Sun Jul 17 13:01:40 BST 2022
Hi Salvatore,
On Thu, Jul 14, 2022 at 11:06 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
>
> The following vulnerability was published for lua5.4.
>
> CVE-2022-33099[0]:
> | An issue in the component luaG_runerror of Lua v5.4.4 and below leads
> | to a heap-buffer overflow when a recursive error occurs.
>
> Btw, I'm right now not sure about older lua versions. While the patch
> im principle I think apply I'm unsure if the issue has introduced in
> 5.4 only. Can you double check so we can update the tracker
> accordingly?
I confirm that the bug is present only in lua5.4, both in stable
(5.4.2) and unstable/testing (5.4.4). lua5.3, lua5.2, lua5.1 are not
vulnerable.
I'll apply the upstream patch to unstable shortly. If you think it's
worth a patch in stable, I could prepare it as well.
Cheers!
--
Sergei Golovan
More information about the pkg-lua-devel
mailing list