Bugzilla – Bug 1123043
VUL-0: CVE-2019-6706: lua53: lua use-after-free in lua_upvaluejoin in lapi.c
Last modified: 2021-06-09 22:05:07 UTC
Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships. References: https://bugzilla.redhat.com/show_bug.cgi?id=1669031 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6706 http://www.cvedetails.com/cve/CVE-2019-6706/ http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
For this bug only instances of lua 5.3.X are affected. I tried to run the POC with the rest versions that we support (5.1.X and 5.2.X) but no crash occurred. Thus only package lua53 is affected in SLE15. More information regarding the fix, the POC and the bug can be found at [1]. [1] http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
Just to add that vulnerability of this bug should be reevaluated. I have made a fix already and I discuss it upstream (http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html), but it seems like this is mostly theoretical attack, and besides if somebody has an access to the debug interface, all is lost anyway.
SUSE-SU-2019:0247-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1123043 CVE References: CVE-2019-6706 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): lua53-5.3.4-3.3.2 SUSE Linux Enterprise Module for Basesystem 15 (src): lua53-5.3.4-3.3.2
openSUSE-SU-2019:0175-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1123043 CVE References: CVE-2019-6706 Sources used: openSUSE Leap 15.0 (src): lua53-5.3.4-lp150.2.3.1
Done