On Monday, April 08 2019, Leonidas S. Barbosa wrote: > Hi, > > Yep, my bad not had added any info on the patch...said that > > The patch can be find here [1] > It was tested against the POC and it fixed the issue. > Any other question, please let me know :) > > > [1] http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lu > a-upvaluejoin-function-tc7685575.html
I'm looking at this patch now in order to backport it to Debian. From the discussion linked above, it seems one of the developers (Roberto Ierusalimschy) wasn't sure about the approach. I then looked at upstream's mirror repository (https://github.com/lua/lua/) and found a commit that fixes the bug in the CVE: https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e Unfortunately, the commit contains several non-related changes, but I think the gist of it is: https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e#diff-1e2b1d8517c8942a094de2cfe42f0d25 which is the hunk that modifies lapi.c. We can see that it implements the idea that Roberto had in the discussion linked above. I think that's the patch that should be backported. Cheers, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible https://sergiodj.net/
signature.asc
Description: PGP signature