Bug 2104427 (CVE-2022-33099)

Summary: CVE-2022-33099 lua: heap buffer overflow in luaG_errormsg() in ldebug.c due to uncontrolled recursion in error handling
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: 4le, bdettelb, carl, caswilli, csutherl, dffrench, drjohnson1, epel-packagers-sig, fedora, fjansen, gzaronik, hdegoede, jburrell, jclere, jwon, kaycoth, lua-packagers-sig, mdomonko, mhroncok, michel, moceap, mschmidt, mturk, ngough, packaging-team-maint, peholase, pjindal, plodge, pmatilai, rgodfrey, rob.myers, spotrh, sthirugn, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Lua. During error handling, the luaG_errormsg() component uses slots from EXTRA_STACK. Some errors can recur such as a string overflow while creating an error message in 'luaG_runerror', or a C-stack overflow before calling the message handler, causing a crash that leads to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-09 00:13:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2104501, 2104743, 2104744, 2104745, 2132325, 2132326, 2132327, 2137384    
Bug Blocks: 2103258    

Description TEJ RATHI 2022-07-06 08:58:29 UTC 
An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.

https://lua-users.org/lists/lua-l/2022-05/msg00035.html
https://lua-users.org/lists/lua-l/2022-05/msg00073.html
https://lua-users.org/lists/lua-l/2022-05/msg00042.html
https://www.lua.org/bugs.html#Lua-stack%20overflow%20when%20C%20stack%20overflows%20while%20handling%20an%20error:~:text=Lua%2Dstack%20overflow%20when%20C%20stack%20overflows%20while%20handling%20an%20error
https://github.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf
Comment 2 TEJ RATHI 2022-07-07 05:04:31 UTC 
Created compat-lua tracking bugs for this issue:

Affects: epel-all [bug 2104744]
Affects: fedora-all [bug 2104745]


Created lua tracking bugs for this issue:

Affects: fedora-all [bug 2104743]
Comment 14 errata-xmlrpc 2022-11-02 14:35:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7329 https://access.redhat.com/errata/RHSA-2022:7329
Comment 16 Product Security DevOps Team 2022-12-09 00:13:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-33099