Bug 1175449 (CVE-2020-24371)

Summary: VUL-1: CVE-2020-24371: lua,lua51,lua53,lua54: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: gmbr3, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/265442/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-24371:5.1:(AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2020-08-18 13:56:18 UTC 
CVE-2020-24371

lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep
phase, leading to a memory access violation involving collectgarbage.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24371
https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110
https://www.lua.org/bugs.html#5.4.0-9
Comment 1 Robert Frohl 2020-08-18 13:57:05 UTC 
to me it looks like that this affects lua54 and in addition lua53.
Comment 2 OBSbugzilla Bot 2020-08-18 14:50:21 UTC 
This is an autogenerated message for OBS integration:
This bug (1175449) was mentioned in
https://build.opensuse.org/request/show/827610 Factory / lua54
Comment 3 OBSbugzilla Bot 2020-08-18 15:30:26 UTC 
This is an autogenerated message for OBS integration:
This bug (1175449) was mentioned in
https://build.opensuse.org/request/show/827619 Factory / lua54
Comment 4 Callum Farmer 2020-08-21 09:15:44 UTC 
Completed in lua54. Awaiting @mcepl acceptance to devel prj for lua53.
Comment 5 Callum Farmer 2020-09-23 12:36:17 UTC 
COMPLETED in lua54 AND lua53.
Comment 6 Robert Frohl 2021-05-25 09:30:35 UTC 
still needed in:
- SUSE:SLE-15:Update/lua53
Comment 7 Matej Cepl 2021-06-01 09:04:42 UTC 
(In reply to Callum Farmer from comment #4)
> Completed in lua54. Awaiting @mcepl acceptance to devel prj for lua53.

Is it correct now?
Comment 8 Callum Farmer 2021-06-01 09:19:38 UTC 
Yes in Factory
Comment 9 Matej Cepl 2021-06-09 18:00:44 UTC 
Will be fixed now with the synchronization with Factory.
Comment 11 Swamp Workflow Management 2021-07-02 22:18:14 UTC 
openSUSE-SU-2021:0962-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1175448,1175449
CVE References: CVE-2020-24370,CVE-2020-24371
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    lua53-5.3.6-lp152.5.3.1
Comment 12 Swamp Workflow Management 2021-07-10 22:26:26 UTC 
openSUSE-SU-2021:2196-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1175448,1175449
CVE References: CVE-2020-24370,CVE-2020-24371
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    lua53-5.3.6-3.6.1