Hi, On Tue, Dec 03, 2019 at 02:01:57PM +0100, Salvatore Bonaccorso wrote: > Source: luajit > Version: 2.1.0~beta3+dfsg-5.1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/LuaJIT/LuaJIT/pull/526 > > Hi, > > The following vulnerability was published for luajit. > > CVE-2019-19391[0]: > | In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other > | products, debug.getinfo has a type confusion issue that leads to > | arbitrary memory write or read operations, because certain cases > | involving valid stack levels and > options are mishandled. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-19391 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19391 > [1] https://github.com/LuaJIT/LuaJIT/pull/526 > > Please adjust the affected versions in the BTS as needed.
Should be noted that the issue is only in the debug library, so the CVE assignment might as well be disputed, still beeing a valid bug. Regards, Salvatore
