DescriptionLua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lua5.1 (PTS)bullseye, sid, buster, stretch5.1.5-8.1undetermined
lua5.2 (PTS)bullseye, sid, buster, stretch5.2.4-1.1undetermined
lua5.3 (PTS)stretch5.3.3-1undetermined
stretch (security)5.3.3-1+deb9u1undetermined
bullseye, sid, buster5.3.3-1.1undetermined
lua5.4 (PTS)bullseye, sid5.4.2-2fixed
lua50 (PTS)buster, stretch5.0.3-8undetermined
bullseye, sid5.0.3-8.1undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (v5.4.1)
check 5.3, 5.2, 5.1 and 5.0 lua versions, different code but might be affected in similar way on updating oldpc value

Search for package or bug name: Reporting problems