DescriptionLua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs920321

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lua5.1 (PTS)buster, bullseye5.1.5-8.1fixed
trixie, sid, bookworm5.1.5-9fixed
lua5.2 (PTS)buster, bullseye5.2.4-1.1fixed
trixie, sid, bookworm5.2.4-3fixed
lua5.3 (PTS)buster, bullseye5.3.3-1.1vulnerable
buster (security)5.3.3-1.1+deb10u1fixed
trixie, sid, bookworm5.3.6-2fixed
lua50 (PTS)buster5.0.3-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lua5.1source(unstable)(not affected)
lua5.2source(unstable)(not affected)
lua50source(unstable)(not affected)


[bullseye] - lua5.3 <postponed> (Minor issue, revisit when fixed upstream)
- lua5.2 <not-affected> (Vulnerable code introduced later)
- lua5.1 <not-affected> (Vulnerable code introduced later)
- lua50 <not-affected> (Vulnerable code introduced later)
lua50 and lua5.1 don't have the affected code.
lua5.2 is not vulnerable as it doesn't free the value before using it. (v5.3.6)

Search for package or bug name: Reporting problems