CVE-2019-19391

NameCVE-2019-19391
DescriptionIn LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. When LuaJIT was originally developed, the expectation was that the entire debug library had no security guarantees and thus it made no sense to assign CVEs. However, not all users of later LuaJIT derivatives share this perspective
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs946053

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
luajit (PTS)buster2.1.0~beta3+dfsg-5.1vulnerable
bullseye2.1.0~beta3+dfsg-5.3vulnerable
bookworm2.1.0~beta3+git20220320+dfsg-4.1fixed
sid, trixie2.1.0+openresty20231117-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
luajitsource(unstable)2.1.0~beta3+git20210112+dfsg-2unimportant946053

Notes

https://github.com/LuaJIT/LuaJIT/pull/526
Negligible security impact. The debug library is unsafe per se and one is
not supposed to release an application with the debug library.
Search for package or bug name: Reporting problems