Your submission was sent successfully! Close

CVE-2019-6706

Published: 23 January 2019

Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.

Notes

AuthorNote
mdeslaur
as of 2019-02-28, proposed fix not committed
per debian, 5.0, 5.1 and 5.2 aren't affected
Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
lua5.1
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
cosmic Not vulnerable
(code not present)
precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)
lua5.2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
cosmic Not vulnerable
(code not present)
precise Does not exist

trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)
lua5.3
Launchpad, Ubuntu, Debian
bionic
Released (5.3.3-1ubuntu0.18.04.1)
cosmic
Released (5.3.3-1ubuntu0.18.10.1)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial
Released (5.3.1-1ubuntu2.1)
lua50
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
cosmic Not vulnerable
(code not present)
precise Does not exist

trusty Does not exist
(trusty was not-affected [code not present])
upstream Needs triage

xenial Not vulnerable
(code not present)