Search CVE reports
1 – 10 of 13 results
CVE-2021-45985
Medium priorityIn Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.
9 affected packages
darktable, lua5.1, lua5.2, lua5.3, lua5.4...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
darktable | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
lua5.1 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.2 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.3 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.4 | Not affected | Not affected | Not in release | Not in release | Not in release |
lua50 | Not in release | Not in release | Not affected | Not affected | Not affected |
memcached | Not affected | Not affected | Not affected | Not affected | Not affected |
tup | Needs evaluation | Needs evaluation | Needs evaluation | Not in release | Ignored |
vifm | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2022-33099
Low prioritySome fixes available 1 of 6
An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.
5 affected packages
lua5.1, lua5.2, lua5.3, lua5.4, lua50
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lua5.1 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.2 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.3 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.4 | Not affected | Fixed | Not in release | Not in release | Not in release |
lua50 | Not in release | Not in release | Not affected | Not affected | Not affected |
CVE-2022-28805
Medium prioritySome fixes available 1 of 5
singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.
5 affected packages
lua5.1, lua5.2, lua5.3, lua5.4, lua50
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lua5.1 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.2 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.3 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.4 | Not affected | Fixed | Not in release | Not in release | Not in release |
lua50 | Not in release | Not in release | Not affected | Not affected | Not affected |
CVE-2021-44964
Medium priorityUse after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.
5 affected packages
lua5.1, lua5.2, lua5.3, lua5.4, lua50
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lua5.1 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.2 | Not affected | Not affected | Not affected | Not affected | Needs evaluation |
lua5.3 | Not affected | Not affected | Not affected | Not affected | Needs evaluation |
lua5.4 | Not affected | Not affected | Not in release | Not in release | Not in release |
lua50 | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2021-44647
Medium priorityLua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.
5 affected packages
lua5.1, lua5.2, lua5.3, lua5.4, lua50
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lua5.1 | — | Not affected | Not affected | Not affected | Not affected |
lua5.2 | — | Not affected | Not affected | Not affected | Not affected |
lua5.3 | — | Not affected | Not affected | Not affected | Not affected |
lua5.4 | — | Not affected | Not in release | Not in release | Not in release |
lua50 | — | Not in release | Not affected | Not affected | Not affected |
CVE-2021-43519
Low priorityStack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.
45 affected packages
ardour, bam, blobby, ceph, darktable...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ardour | Not affected | Not affected | Not affected | Not affected | Not affected |
bam | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
blobby | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
ceph | Not affected | Not affected | Not affected | Not affected | Not affected |
darktable | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
eja | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Ignored |
emscripten | Needs evaluation | Needs evaluation | — | Needs evaluation | Needs evaluation |
enigma | Not affected | Not affected | Not affected | Not affected | Not affected |
freeciv | Not affected | Not affected | Not affected | Not affected | Not affected |
freedroidrpg | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
fs-uae | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
golly | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
goxel | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Ignored |
grub2 | Not affected | Not affected | Not affected | Not affected | Not affected |
gtk2-engines | Not affected | Not affected | Not affected | Not affected | Not affected |
haskell-hslua | Not affected | Not affected | Not affected | Not affected | Not affected |
hedgewars | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.1 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.2 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.3 | Not affected | Not affected | Not affected | Not affected | Not affected |
lua5.4 | Not affected | Not affected | Not in release | Not in release | Not in release |
lua50 | Not in release | Not in release | Not affected | Not affected | Not affected |
luajit | Not affected | Not affected | Not affected | Not affected | Not affected |
mame | Not affected | Not affected | Not affected | Not affected | Not affected |
naev | Needs evaluation | Needs evaluation | Needs evaluation | — | Ignored |
openscenegraph | Not affected | Not affected | Not affected | Not affected | Not affected |
redis | Not affected | Not affected | Not affected | Not affected | Not affected |
rust-lua52-sys | Needs evaluation | Needs evaluation | Needs evaluation | — | Ignored |
scite | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
scorched3d | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
scummvm | Not affected | Not affected | Not affected | Not affected | Not affected |
spring | Not affected | Not affected | Not affected | Not affected | Not affected |
syslinux | Not affected | Not affected | Not affected | Not affected | Not affected |
syslinux-legacy | Not in release | Not in release | Not affected | Not affected | Not affected |
tagua | Not affected | Not affected | Not affected | Not affected | Not affected |
tarantool | Needs evaluation | Needs evaluation | Needs evaluation | — | Needs evaluation |
texlive-bin | Not affected | Not affected | Not affected | Not affected | Not affected |
tup | Needs evaluation | Needs evaluation | Needs evaluation | — | Ignored |
ufoai | Not affected | Not affected | Not affected | Not affected | Not affected |
vifm | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
wcc | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Ignored |
wesnoth | — | — | — | — | Ignored |
widelands | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
xmoto | Not affected | Not affected | Not affected | Not affected | Not affected |
zfs-linux | Not affected | Not affected | Not affected | Not affected | Not affected |
CVE-2020-24371
Medium prioritylgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.
5 affected packages
lua5.1, lua5.2, lua5.3, lua5.4, lua50
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lua5.1 | — | Not affected | Not affected | Not affected | Not affected |
lua5.2 | — | Not affected | Not affected | Not affected | Not affected |
lua5.3 | — | Not affected | Not affected | Not affected | Not affected |
lua5.4 | — | Not affected | Not in release | Not in release | Not in release |
lua50 | — | Not in release | Not affected | Not affected | Not affected |
CVE-2020-24370
Medium priorityldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
5 affected packages
lua5.1, lua5.2, lua5.3, lua5.4, lua50
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lua5.1 | — | Not affected | Not affected | Not affected | Not affected |
lua5.2 | — | Not affected | Not affected | Not affected | Not affected |
lua5.3 | — | Not affected | Not affected | Not affected | Not affected |
lua5.4 | — | Not affected | Not in release | Not in release | Not in release |
lua50 | — | Not in release | Not affected | Not affected | Not affected |
CVE-2020-24369
Medium priorityldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.
5 affected packages
lua5.1, lua5.2, lua5.3, lua5.4, lua50
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lua5.1 | — | Not affected | Not affected | Not affected | Not affected |
lua5.2 | — | Not affected | Not affected | Not affected | Not affected |
lua5.3 | — | Not affected | Not affected | Not affected | Not affected |
lua5.4 | — | Not affected | Not in release | Not in release | Not in release |
lua50 | — | Not in release | Not affected | Not affected | Not affected |
CVE-2020-24342
Medium priorityLua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
5 affected packages
lua5.1, lua5.2, lua5.3, lua5.4, lua50
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lua5.1 | — | Not affected | Not affected | Not affected | Not affected |
lua5.2 | — | Not affected | Not affected | Not affected | Not affected |
lua5.3 | — | Not affected | Not affected | Not affected | Not affected |
lua5.4 | — | Not affected | Not in release | Not in release | Not in release |
lua50 | — | Not in release | Not affected | Not affected | Not affected |