StarlingX

[Debian] High CVE: CVE-2019-6706/CVE-2020-24370 lua5.3: multiple CVEs

Bug #2038884 reported by Yue Tao on 2023-10-10

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Triaged	High	Unassigned

Bug Description

CVE-2019-6706: https://nvd.nist.gov/vuln/detail/CVE-2019-6706

Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.

CVE-2020-24370: https://nvd.nist.gov/vuln/detail/CVE-2020-24370

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).

Base Score: High

Reference:

['liblua5.3-0_5.3.3-1.1_amd64.deb===>liblua5.3-0_5.3.3-1.1+deb11u1_amd64.deb']

Tags:

CVE References

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.