Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
Created lua tracking bugs for this issue:
Affects: fedora-all [bug 1873085]
The versions of lua shipped in Red Hat Enterprise Linux 6, 7 and 8 are not affected by this issue : versions of lua prior to 5.4.0 had a different C-stack overflow control, which did not trigger this flaw.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):