Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members. References: http://lua-users.org/lists/lua-l/2020-07/msg00078.html https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312
Created lua tracking bugs for this issue: Affects: fedora-all [bug 1860317]
Statement: The affected code was introduced via https://github.com/lua/lua/commit/f5f3df3bd17fb3489bbd26ab39fe1580a8dbf9c9 which is part of lua-5.4. Therefore versions of lua package shipped with Red Hat products is not affected by this flaw.