CVE-2014-5461

NameCVE-2014-5461
DescriptionBuffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-47-1, DSA-3015-1, DSA-3016-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lua5.1 (PTS)wheezy, wheezy (security)5.1.5-4+deb7u1fixed
jessie5.1.5-7.1fixed
buster, sid, stretch5.1.5-8.1fixed
lua5.2 (PTS)wheezy, wheezy (security)5.2.1-3+deb7u1fixed
jessie5.2.3-1.1fixed
buster, sid, stretch5.2.4-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lua5.1source(unstable)5.1.5-7medium
lua5.1sourcesqueeze5.1.4-5+deb6u1mediumDLA-47-1
lua5.1sourcewheezy5.1.5-4+deb7u1mediumDSA-3015-1
lua5.2source(unstable)5.2.3-1medium
lua5.2sourcewheezy5.2.1-3+deb7u1mediumDSA-3016-1

Notes

http://www.lua.org/bugs.html#5.2.2-1
fixed in 5.2.3, see https://bugzilla.redhat.com/show_bug.cgi?id=1132304#c7

Search for package or bug name: Reporting problems