[lua-packagers-sig] [Bug 2073884] New: CVE-2022-28805 dev-lang/lua: heap buffer overread

10 Apr 2022


      https://bugzilla.redhat.com/show_bug.cgi?id=2073884
Bug ID: 2073884
           Summary: CVE-2022-28805 dev-lang/lua: heap buffer overread
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: high
          Priority: high
          Assignee: security-response-team@redhat.com
          Reporter: ahanwate@redhat.com
                CC: 4le@live.com, drjohnson1@gmail.com,
                    lua-packagers-sig@lists.fedoraproject.org,
                    mhroncok@redhat.com, michel@michel-slm.name,
                    rob.myers@gtri.gatech.edu, spotrh@gmail.com
  Target Milestone: ---
    Classification: Other
singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
call, leading to a heap-based buffer over-read that might affect a system that
compiles untrusted Lua code.
https://lua-users.org/lists/lua-l/2022-02/msg00001.html
https://lua-users.org/lists/lua-l/2022-02/msg00070.html
https://lua-users.org/lists/lua-l/2022-04/msg00009.html
https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2073884

2025

2024

2023

2022

2021

2020

[lua-packagers-sig] [Bug 2073884] New: CVE-2022-28805 dev-lang/lua: heap buffer overread