CVE-2020-15890

NameCVE-2020-15890
DescriptionLuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2296-1
Debian Bugs966148

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
luajit (PTS)buster2.1.0~beta3+dfsg-5.1vulnerable
bullseye2.1.0~beta3+dfsg-5.3vulnerable
bookworm2.1.0~beta3+git20220320+dfsg-4.1fixed
sid, trixie2.1.0+git20231223.c525bcb+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
luajitsourcestretch2.0.4+dfsg-1+deb9u1DLA-2296-1
luajitsource(unstable)2.1.0~beta3+git20210112+dfsg-2unimportant966148

Notes

https://github.com/LuaJIT/LuaJIT/issues/601
https://github.com/LuaJIT/LuaJIT/commit/53f82e6e2e858a0a62fd1a2ff47e9866693382e6
No security impact, only "exploitable" with untrusted Lua code

Search for package or bug name: Reporting problems