On Thu, Jan 24, 2019 at 07:02:59AM +0100, Salvatore Bonaccorso wrote: > Source: lua5.3 > Version: 5.3.3-1.1 > Severity: important > Tags: security upstream > Control: found -1 5.3.3-1 > > Hi, > > The following vulnerability was published for lua5.3. > > CVE-2019-6706: > | Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For > | example, a crash outcome might be achieved by an attacker who is able > | to trigger a debug.upvaluejoin call in which the arguments have certain > | relationships.
Ubuntu fixed this via https://launchpad.net/ubuntu/+source/lua5.3/5.3.3-1ubuntu0.18.10.1 : http://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0.18.10.1.diff.gz Leonidas, what's the provenance of that patch (given that upstream doesn't have a public code repo), has it been reviewed/blessed by the Lua upstream developers? Cheers, Moritz