Bug 1175449 - (CVE-2020-24371) VUL-1: CVE-2020-24371: lua,lua51,lua53,lua54: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.
(CVE-2020-24371)
VUL-1: CVE-2020-24371: lua,lua51,lua53,lua54: lgc.c mishandles the interactio...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/265442/
CVSSv3.1:SUSE:CVE-2020-24371:5.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-18 13:56 UTC by Robert Frohl
Modified: 2021-07-10 22:26 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-08-18 13:56:18 UTC
CVE-2020-24371

lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep
phase, leading to a memory access violation involving collectgarbage.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24371
https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110
https://www.lua.org/bugs.html#5.4.0-9
Comment 1 Robert Frohl 2020-08-18 13:57:05 UTC
to me it looks like that this affects lua54 and in addition lua53.
Comment 2 OBSbugzilla Bot 2020-08-18 14:50:21 UTC
This is an autogenerated message for OBS integration:
This bug (1175449) was mentioned in
https://build.opensuse.org/request/show/827610 Factory / lua54
Comment 3 OBSbugzilla Bot 2020-08-18 15:30:26 UTC
This is an autogenerated message for OBS integration:
This bug (1175449) was mentioned in
https://build.opensuse.org/request/show/827619 Factory / lua54
Comment 4 Callum Farmer 2020-08-21 09:15:44 UTC
Completed in lua54. Awaiting @mcepl acceptance to devel prj for lua53.
Comment 5 Callum Farmer 2020-09-23 12:36:17 UTC
COMPLETED in lua54 AND lua53.
Comment 6 Robert Frohl 2021-05-25 09:30:35 UTC
still needed in:
- SUSE:SLE-15:Update/lua53
Comment 7 Matej Cepl 2021-06-01 09:04:42 UTC
(In reply to Callum Farmer from comment #4)
> Completed in lua54. Awaiting @mcepl acceptance to devel prj for lua53.

Is it correct now?
Comment 8 Callum Farmer 2021-06-01 09:19:38 UTC
Yes in Factory
Comment 9 Matej Cepl 2021-06-09 18:00:44 UTC
Will be fixed now with the synchronization with Factory.
Comment 11 Swamp Workflow Management 2021-07-02 22:18:14 UTC
openSUSE-SU-2021:0962-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1175448,1175449
CVE References: CVE-2020-24370,CVE-2020-24371
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    lua53-5.3.6-lp152.5.3.1
Comment 12 Swamp Workflow Management 2021-07-10 22:26:26 UTC
openSUSE-SU-2021:2196-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1175448,1175449
CVE References: CVE-2020-24370,CVE-2020-24371
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    lua53-5.3.6-3.6.1