CVE-2014-5461

NameCVE-2014-5461
DescriptionBuffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-47-1, DSA-3015-1, DSA-3016-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lua5.1 (PTS)buster, bullseye5.1.5-8.1fixed
bookworm, sid, trixie5.1.5-9fixed
lua5.2 (PTS)buster, bullseye5.2.4-1.1fixed
bookworm, sid, trixie5.2.4-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lua5.1sourcesqueeze5.1.4-5+deb6u1DLA-47-1
lua5.1sourcewheezy5.1.5-4+deb7u1DSA-3015-1
lua5.1source(unstable)5.1.5-7
lua5.2sourcewheezy5.2.1-3+deb7u1DSA-3016-1
lua5.2source(unstable)5.2.3-1

Notes

http://www.lua.org/bugs.html#5.2.2-1
fixed in 5.2.3, see https://bugzilla.redhat.com/show_bug.cgi?id=1132304#c7

Search for package or bug name: Reporting problems