On Thu, Jan 24, 2019 at 07:02:59AM +0100, Salvatore Bonaccorso wrote:
> Source: lua5.3
> Version: 5.3.3-1.1
> Severity: important
> Tags: security upstream
> Control: found -1 5.3.3-1
> 
> Hi,
> 
> The following vulnerability was published for lua5.3.
> 
> CVE-2019-6706[0]:
> | Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For
> | example, a crash outcome might be achieved by an attacker who is able
> | to trigger a debug.upvaluejoin call in which the arguments have certain
> | relationships.

Ubuntu fixed this via 
https://launchpad.net/ubuntu/+source/lua5.3/5.3.3-1ubuntu0.18.10.1 :
http://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0.18.10.1.diff.gz

Leonidas, what's the provenance of that patch (given that upstream doesn't
have a public code repo), has it been reviewed/blessed by the Lua upstream
developers?

Cheers,
        Moritz

Reply via email to