Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows
attackers to perform a Denial of Service via a crafted script file.
Author | Note |
---|---|
eslerm | lua deprecated from grub on 2009-09-26 debian/grub-extras/lua/ not compiled-see debian/rules and GRUB_CONTRIB contrary to description, vulnerability appears to be introduced after 5.1 |
leosilva | for ceph , that ships with lua, lua affected is 5.4 up, for focal it is using 5.3 , so not-affected. Also, code not found. |
mdeslaur | SUSE bug says “this bug is only present in Lua 5.4.2 and 5.4.3” and the PoC crashing earlier versions may be unrelated to this CVE. Introduced in 5.4.2 by: https://github.com/lua/lua/commit/287b302acb8d925178e9edb800f0a8d18c7d35f6 Fixed in 5.4.4 by: https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868 |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | bam | < any | UNKNOWN |
ubuntu | 20.04 | noarch | bam | < any | UNKNOWN |
ubuntu | 22.04 | noarch | bam | < any | UNKNOWN |
ubuntu | 23.10 | noarch | bam | < any | UNKNOWN |
ubuntu | 24.04 | noarch | bam | < any | UNKNOWN |
ubuntu | 16.04 | noarch | bam | < any | UNKNOWN |
ubuntu | 18.04 | noarch | blobby | < any | UNKNOWN |
ubuntu | 20.04 | noarch | blobby | < any | UNKNOWN |
ubuntu | 22.04 | noarch | blobby | < any | UNKNOWN |
ubuntu | 23.10 | noarch | blobby | < any | UNKNOWN |
lua-users.org/lists/lua-l/2021-10/msg00123.html
lua-users.org/lists/lua-l/2021-11/msg00015.html
github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868
launchpad.net/bugs/cve/CVE-2021-43519
nvd.nist.gov/vuln/detail/CVE-2021-43519
security-tracker.debian.org/tracker/CVE-2021-43519
www.cve.org/CVERecord?id=CVE-2021-43519