Is CVE-2019-6706 in Lua 5.4 fixed?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Is CVE-2019-6706 in Lua 5.4 fixed?

jakub.kulik
Hi

I was recently investigating the state of CVE-2019-6706, and it seems
that while this was fixed in 5.3 branch [1], it was not forward-ported
to 5.4. Is that the case or am I missing some other change that makes
this nonissue?

Best Regards,
Jakub

[1]
https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e

[CVE-2019-6706 discussion]
http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
Reply | Threaded
Open this post in threaded view
|

Re: Is CVE-2019-6706 in Lua 5.4 fixed?

Luiz Henrique de Figueiredo
> I was recently investigating the state of CVE-2019-6706, and it seems
> that while this was fixed in 5.3 branch [1], it was not forward-ported
> to 5.4. Is that the case or am I missing some other change that makes
> this nonissue?

The latter. See http://lua-users.org/lists/lua-l/2020-04/msg00126.html
Reply | Threaded
Open this post in threaded view
|

Re: Is CVE-2019-6706 in Lua 5.4 fixed?

jakub.kulik
Thanks for the confirmation - I missed that, sorry.

Jakub

On 7/20/20 2:04 PM, Luiz Henrique de Figueiredo wrote:
>> I was recently investigating the state of CVE-2019-6706, and it seems
>> that while this was fixed in 5.3 branch [1], it was not forward-ported
>> to 5.4. Is that the case or am I missing some other change that makes
>> this nonissue?
>
> The latter. See https://urldefense.com/v3/__http://lua-users.org/lists/lua-l/2020-04/msg00126.html__;!!GqivPVa7Brio!NpeBopQzMtvKoe2dKGDBQlNpFSsUheUMYxvoorCIVUTU57lIIN9nhAA97ZcMiWamiA$
>