Hi, Yep, my bad not had added any info on the patch...said that
The patch can be find here [1] It was tested against the POC and it fixed the issue. Any other question, please let me know :) [1] http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lu a-upvaluejoin-function-tc7685575.html Cheers! On Seg, 2019-04-08 at 20:29 +0200, Moritz Mühlenhoff wrote: > On Thu, Jan 24, 2019 at 07:02:59AM +0100, Salvatore Bonaccorso wrote: > > > > Source: lua5.3 > > Version: 5.3.3-1.1 > > Severity: important > > Tags: security upstream > > Control: found -1 5.3.3-1 > > > > Hi, > > > > The following vulnerability was published for lua5.3. > > > > CVE-2019-6706[0]: > > > > > > Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For > > > example, a crash outcome might be achieved by an attacker who is > > > able > > > to trigger a debug.upvaluejoin call in which the arguments have > > > certain > > > relationships. > Ubuntu fixed this via https://launchpad.net/ubuntu/+source/lua5.3/5.3 > .3-1ubuntu0.18.10.1 : > http://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0 > .18.10.1.diff.gz > > Leonidas, what's the provenance of that patch (given that upstream > doesn't > have a public code repo), has it been reviewed/blessed by the Lua > upstream > developers? > > Cheers, > Moritz
signature.asc
Description: This is a digitally signed message part