Bug#1010265: [pkg-lua-devel] Bug#1010265: CVE-2022-28805

[Moritz Mühlenhoff]

Am Fri, Apr 29, 2022 at 07:49:15AM +0300 schrieb Sergei Golovan:
> > This was assigned CVE-2022-28805:
> > https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
> > http://lua-users.org/lists/lua-l/2022-02/msg1.html
> > http://lua-users.org/lists/lua-l/2022-02/msg00070.html
> >
> > Can you please check whether this also affects the older Lua versions
> > in the archive?
> 
> This bug is related to the  variables which have been introduced in
> Lua 5.4, so it doesn't affect the earlier versions.

Thanks, I've updated the Debian security tracker.

> It does affect Lua 5.4.2 in stable though.
>
> I'll fix it in unstable shortly. Do I need to prepare a fix for stable?

It doesn't need a DSA IMO. Could be fixed via a point release or we fix
it along when there's a more severe Lua issue in the future?

Cheers,
Moritz

Bug#1010265: [pkg-lua-devel] Bug#1010265: CVE-2022-28805

[Sergei Golovan]

found 1010265 5.4.2-1
thanks

Hi Moritz,

On Wed, Apr 27, 2022 at 2:57 PM Moritz Muehlenhoff  wrote:
>
> This was assigned CVE-2022-28805:
> https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
> http://lua-users.org/lists/lua-l/2022-02/msg1.html
> http://lua-users.org/lists/lua-l/2022-02/msg00070.html
>
> Can you please check whether this also affects the older Lua versions
> in the archive?

This bug is related to the  variables which have been introduced in
Lua 5.4, so it doesn't affect the earlier versions.

It does affect Lua 5.4.2 in stable though.

I'll fix it in unstable shortly. Do I need to prepare a fix for stable?

Cheers!
-- 
Sergei Golovan