[pkg-lua-devel] Bug#1014935: Bug#1014935: lua5.4: CVE-2022-33099
Salvatore Bonaccorso
carnil at debian.org
Sun Jul 31 11:02:46 BST 2022
Control: found -1 5.4.2-2
Hi Sergei,
Sorry for the very late reply.
On Sun, Jul 17, 2022 at 03:01:40PM +0300, Sergei Golovan wrote:
> Hi Salvatore,
>
> On Thu, Jul 14, 2022 at 11:06 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
> >
> > The following vulnerability was published for lua5.4.
> >
> > CVE-2022-33099[0]:
> > | An issue in the component luaG_runerror of Lua v5.4.4 and below leads
> > | to a heap-buffer overflow when a recursive error occurs.
> >
> > Btw, I'm right now not sure about older lua versions. While the patch
> > im principle I think apply I'm unsure if the issue has introduced in
> > 5.4 only. Can you double check so we can update the tracker
> > accordingly?
>
> I confirm that the bug is present only in lua5.4, both in stable
> (5.4.2) and unstable/testing (5.4.4). lua5.3, lua5.2, lua5.1 are not
> vulnerable.
>
> I'll apply the upstream patch to unstable shortly. If you think it's
> worth a patch in stable, I could prepare it as well.
Thanks for the confirmation, Moritz updated the tracker information
earlier already.
The issue itself is marked no-dsa, not warranting a DSA on it's own.
But if you have time available it would be great to see the open
lua5.4 issues affecting stable to be fixed e.g. in the next bullseye
point release.
See
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
for some guide and https://security-team.debian.org/triage.html.
Regards,
Salvatore
More information about the pkg-lua-devel
mailing list