CVE-2021-45985

Published: 10 April 2023

In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.

Notes

Author	Note
mdeslaur	memcached not built with experimental proxy code, so vendored lua isn't built
ccdm94	vulnerable function introduced by commit 14c3aa12b

Priority

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package	Release	Status
lua5.2 Launchpad, Ubuntu, Debian	focal	Not vulnerable (code not present)
	jammy	Not vulnerable (code not present)
	kinetic	Not vulnerable (code not present)
	trusty	Not vulnerable (code not present)
	xenial	Not vulnerable (code not present)
	bionic	Not vulnerable (code not present)
	upstream	Needs triage
	lunar	Not vulnerable (code not present)
	mantic	Not vulnerable (code not present)
lua5.3 Launchpad, Ubuntu, Debian	jammy	Not vulnerable (code not present)
	kinetic	Not vulnerable (code not present)
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Not vulnerable (code not present)
	lunar	Not vulnerable (code not present)
	bionic	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	mantic	Not vulnerable (code not present)
lua5.4 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Not vulnerable (5.4.4-1)
	kinetic	Not vulnerable (5.4.4-3)
	trusty	Ignored (end of standard support)
	upstream	Released (5.4.4)
	xenial	Does not exist
	lunar	Not vulnerable (5.4.4-3)
	mantic	Not vulnerable (5.4.4-3)
	Patches: upstream: https://github.com/lua/lua/commit/cf613cdc6fa367257fc61c256f63d917350858b5
lua50 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	jammy	Does not exist
	kinetic	Does not exist
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Not vulnerable (code not present)
	lunar	Does not exist
	mantic	Does not exist
memcached Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	jammy	Not vulnerable (code not compiled)
	kinetic	Not vulnerable (code not compiled)
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Not vulnerable (code not present)
	lunar	Not vulnerable (code not compiled)
	mantic	Not vulnerable (code not compiled)
tup Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Needs triage
	jammy	Needs triage
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Ignored (end of standard support)
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Needs triage
	mantic	Needs triage
vifm Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	jammy	Needs triage
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Needs triage
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Needs triage
	mantic	Needs triage
darktable Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	jammy	Needs triage
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Needs triage
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Needs triage
	mantic	Needs triage
lua5.1 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	jammy	Not vulnerable (code not present)
	kinetic	Not vulnerable (code not present)
	trusty	Not vulnerable (code not present)
	upstream	Not vulnerable (code not present)
	xenial	Not vulnerable (code not present)
	lunar	Not vulnerable (code not present)
	mantic	Not vulnerable (code not present)

Severity score breakdown

Parameter	Value
Base score	7.5
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Bugs

https://www.lua.org/bugs.html#5.4.3-11

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›