Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2021-43519

Published: 9 November 2021

Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.

Notes

AuthorNote
eslerm
lua deprecated from grub on 2009-09-26
debian/grub-extras/lua/ not compiled-see debian/rules and GRUB_CONTRIB
contrary to description, vulnerability appears to be introduced after 5.1
leosilva
for ceph , that ships with lua, lua affected is 5.4 up, for focal
it is using 5.3 , so not-affected. Also, code not found.
mdeslaur
SUSE bug says "this bug is only present in Lua 5.4.2 and 5.4.3"
and the PoC crashing earlier versions may be unrelated to this
CVE.
Introduced in 5.4.2 by:
https://github.com/lua/lua/commit/287b302acb8d925178e9edb800f0a8d18c7d35f6
Fixed in 5.4.4 by:
https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868

Priority

Low

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
enigma
Launchpad, Ubuntu, Debian
impish Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

focal Not vulnerable

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

freeciv
Launchpad, Ubuntu, Debian
impish Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

freedroidrpg
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(end of life)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

fs-uae
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(end of life)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

golly
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(end of life)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

goxel
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(end of life)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

grub2
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
impish Ignored
(end of life)
lunar Not vulnerable
(code-not-compiled)
trusty Not vulnerable
(code-not-compiled)
upstream Needs triage

xenial Not vulnerable
(code-not-compiled)
bionic Not vulnerable
(code-not-compiled)
focal Not vulnerable
(code-not-compiled)
jammy Not vulnerable
(code-not-compiled)
kinetic Not vulnerable
(code-not-compiled)
mantic Not vulnerable
(code-not-compiled)
gtk2-engines
Launchpad, Ubuntu, Debian
impish Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

xenial Not vulnerable

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

haskell-hslua
Launchpad, Ubuntu, Debian
impish Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

hedgewars
Launchpad, Ubuntu, Debian
impish Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

lua5.1
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Not vulnerable
(code not present)
lunar Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)
kinetic Not vulnerable
(code not present)
mantic Not vulnerable
(code not present)
lua5.2
Launchpad, Ubuntu, Debian
impish Ignored
(end of life)
upstream Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

trusty Not vulnerable

xenial Not vulnerable

lua5.3
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
impish Ignored
(end of life)
trusty Does not exist

upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

lua5.4
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Not vulnerable
(5.4.4-1)
kinetic Not vulnerable
(5.4.4-3)
lunar Not vulnerable
(5.4.4-3)
trusty Does not exist

upstream
Released (5.4.4-1)
xenial Does not exist

mantic Not vulnerable
(5.4.4-3)
Patches:
upstream: https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868
lua50
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Does not exist

lunar Does not exist

trusty Does not exist

upstream Needs triage

kinetic Does not exist

mantic Does not exist

bionic Not vulnerable

focal Not vulnerable

xenial Not vulnerable

luajit
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
impish Ignored
(end of life)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

trusty Not vulnerable

xenial Not vulnerable

mame
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
impish Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

naev
Launchpad, Ubuntu, Debian
focal Needs triage

hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Needs triage

lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
kinetic Ignored
(end of life, was needs-triage)
mantic Needs triage

openscenegraph
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
impish Ignored
(end of life)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

trusty Not vulnerable

xenial Not vulnerable

redis
Launchpad, Ubuntu, Debian
jammy Not vulnerable
(uses system lua)
lunar Not vulnerable
(uses system lua)
trusty Not vulnerable

upstream Needs triage

xenial Not vulnerable
(code not present)
bionic Not vulnerable
(code not present)
focal Not vulnerable
(uses system lua)
hirsute Not vulnerable
(uses system lua)
impish Not vulnerable
(uses system lua)
kinetic Not vulnerable
(uses system lua)
mantic Not vulnerable
(uses system lua)
rust-lua52-sys
Launchpad, Ubuntu, Debian
focal Needs triage

hirsute Ignored
(end of life)
impish Ignored
(end of life)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

scite
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Needs triage

lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

kinetic Ignored
(end of life, was needs-triage)
mantic Needs triage

scorched3d
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Needs triage

lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

kinetic Ignored
(end of life, was needs-triage)
mantic Needs triage

scummvm
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
impish Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

spring
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
impish Ignored
(end of life)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

syslinux
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
impish Ignored
(end of life)
trusty Not vulnerable

bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

syslinux-legacy
Launchpad, Ubuntu, Debian
hirsute Does not exist

impish Does not exist

jammy Does not exist

lunar Does not exist

trusty Does not exist

upstream Needs triage

kinetic Does not exist

mantic Does not exist

bionic Not vulnerable

focal Not vulnerable

xenial Not vulnerable

tagua
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

impish Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

tarantool
Launchpad, Ubuntu, Debian
focal Needs triage

hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Needs triage

lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

kinetic Ignored
(end of life, was needs-triage)
mantic Needs triage

texlive-bin
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
impish Ignored
(end of life)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

tup
Launchpad, Ubuntu, Debian
focal Needs triage

hirsute Ignored
(end of life)
impish Ignored
(end of life)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

ufoai
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
impish Ignored
(end of life)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

vifm
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

hirsute Ignored
(end of life)
jammy Needs triage

lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

kinetic Ignored
(end of life, was needs-triage)
impish Ignored
(end of life)
mantic Needs triage

wcc
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Needs triage

lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
kinetic Ignored
(end of life, was needs-triage)
mantic Needs triage

wesnoth
Launchpad, Ubuntu, Debian
trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
widelands
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

hirsute Ignored
(end of life)
jammy Needs triage

lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

kinetic Ignored
(end of life, was needs-triage)
impish Ignored
(end of life)
mantic Needs triage

xmoto
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
impish Ignored
(end of life)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

zfs-linux
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
impish Ignored
(end of life)
trusty Ignored
(end of standard support)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

ardour
Launchpad, Ubuntu, Debian
upstream Needs triage

impish Ignored
(end of life)
trusty Ignored
(end of standard support)
hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
bionic Not vulnerable

focal Not vulnerable

jammy Not vulnerable

lunar Not vulnerable

mantic Not vulnerable

xenial Not vulnerable

bam
Launchpad, Ubuntu, Debian
lunar Needs triage

xenial Needs triage

bionic Needs triage

focal Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

hirsute Ignored
(end of life)
impish Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

blobby
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

lunar Needs triage

trusty Ignored
(end of standard support)
xenial Needs triage

impish Ignored
(end of life)
upstream Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

ceph
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal Not vulnerable

lunar Not vulnerable
(code not present)
hirsute Ignored
(end of life)
impish Ignored
(end of life)
trusty Not vulnerable

upstream Needs triage

jammy Not vulnerable
(code not present)
kinetic Not vulnerable
(code not present)
mantic Not vulnerable
(code not present)
xenial Not vulnerable

darktable
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(end of life)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

eja
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

hirsute Ignored
(end of life)
impish Ignored
(end of life)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Ignored
(end of standard support)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

emscripten
Launchpad, Ubuntu, Debian
bionic Needs triage

impish Ignored
(end of life)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needs-triage)
jammy Needs triage

mantic Needs triage

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H