StarlingX

[Debian] High CVE: CVE-2019-6706/CVE-2020-24370 lua5.3: multiple CVEs

Bug #2038884 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Peng Zhang

Bug Description

CVE-2019-6706: https://nvd.nist.gov/vuln/detail/CVE-2019-6706

Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.

CVE-2020-24370: https://nvd.nist.gov/vuln/detail/CVE-2020-24370

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).

Base Score: High

Reference:

['liblua5.3-0_5.3.3-1.1_amd64.deb===>liblua5.3-0_5.3.3-1.1+deb11u1_amd64.deb']

CVE References

Peng Zhang (pzhang2)
Changed in starlingx:
assignee: nobody → Peng Zhang (pzhang2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/899533

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/899533
Committed: https://opendev.org/starlingx/tools/commit/2800c659fc69f89f1d3278dbbab87bfa3942cf90
Submitter: "Zuul (22348)"
Branch: master

commit 2800c659fc69f89f1d3278dbbab87bfa3942cf90
Author: Peng Zhang <email address hidden>
Date: Sat Oct 28 06:27:27 2023 +0000

    Debian: liblua: fix CVE-2019-6706/CVE-2020-24370

    Upgrade liblua related packages' version from 5.3-0_5.3.3-1.1
    to 5.3-0_5.3.3-1.1+deb11u1 to fix CVE-2019-6706/CVE-2020-24370.

    After the liblua5.3-0 (= 5.3.3-1.1+b1) is upgaraded to
    5.3.3-1.1+deb11u1, the following package have unmet dependencies:
    'liblua5.3-dev : Depends: liblua5.3-0 (= 5.3.3-1.1+b1) but
    5.3.3-1.1+deb11u1 is to be installed'.
    So liblua5.3-dev is upgaraded to 5.3.3-1.1+deb11u1.

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2019-6706
    https://nvd.nist.gov/vuln/detail/CVE-2020-24370

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

    Closes-bug: #2038884

    Change-Id: Ib01e6826246b961d30decc068af9fffcb7d38e26
    Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.