Описание
In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.
A heap-based buffer overflow issue was found in Lua Interpreter. The vulnerability can be exploited when an erroneous finalizer calls during a tail call with an invalid stack, triggering an out-of-bounds read, leading to a crash or a denial of service.
Отчет
The bug exists in Lua Interpreter since v5.4.3 and fixed in v5.4.4. RHEL-6, 7, 8 ships Lua-v5.3.4 and prior versions, which does not contains the vulnerable function. And RHEL-9 already ships Lua-v5.4.4 and above, which contains the fix. Hence, none of the Lua versions shipped with Red Hat Enterprise Linux are affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | lua | Not affected | ||
| Red Hat Enterprise Linux 7 | lua | Not affected | ||
| Red Hat Enterprise Linux 8 | libreoffice:flatpak/lua | Not affected | ||
| Red Hat Enterprise Linux 8 | lua | Not affected | ||
| Red Hat Enterprise Linux 9 | lua | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.
In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.
Mitre: CVE-2021-45985 Erroneous finalizer call in Lua leads to a heap-based buffer over-read
In Lua 5.4.3, an erroneous finalizer called during a tail call leads t ...
In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.
EPSS
7.5 High
CVSS3