Bug 2047672 (CVE-2021-43519)

Summary: CVE-2021-43519 lua: stack overflow in lua_resume of ldo.c allows a DoS via a crafted script file
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: 4le, bdettelb, caswilli, csutherl, drjohnson1, fjansen, gzaronik, jburrell, jclere, jwon, kaycoth, krathod, lua-packagers-sig, mhroncok, michel, mturk, packaging-team-maint, pjindal, rob.myers, spotrh, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: lua 5.3.5, lua 5.4.4 Doc Type: If docs needed, set a value
Doc Text:
A stack overflow issue was discovered in Lua in the lua_resume() function of 'ldo.c'. This flaw allows a local attacker to pass a specially crafted file to the Lua Interpreter, causing a crash that leads to a denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2048364, 2047673, 2048367, 2048368, 2048369, 2048461    
Bug Blocks: 2047674    

Description Marian Rehak 2022-01-28 09:33:37 UTC
Stack overflow in lua_resume of ldo.c in Lua Interpreter allows attackers to perform a Denial of Service via a crafted script file.

Reference:

http://lua-users.org/lists/lua-l/2021-11/msg00015.html
http://lua-users.org/lists/lua-l/2021-10/msg00123.html

Comment 1 Marian Rehak 2022-01-28 09:34:08 UTC
Created lua tracking bugs for this issue:

Affects: fedora-all [bug 2047673]