CVE-2019-19391

NameCVE-2019-19391
Description** DISPUTED ** In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. When LuaJIT was originally developed, the expectation was that the entire debug library had no security guarantees and thus it made no sense to assign CVEs. However, not all users of later LuaJIT derivatives share this perspective.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs946053

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
luajit (PTS)jessie2.0.3+dfsg-3vulnerable
stretch2.0.4+dfsg-1vulnerable
bullseye, sid, buster2.1.0~beta3+dfsg-5.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
luajitsource(unstable)(unfixed)unimportant946053

Notes

https://github.com/LuaJIT/LuaJIT/pull/526
Negligible security impact. The debug library is unsafe per se and one is
not supposed to release an application with the debug library.

Search for package or bug name: Reporting problems