Is CVE-2019-6706 in Lua 5.4 fixed?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Is CVE-2019-6706 in Lua 5.4 fixed?
From: jakub.kulik@...
Date: Mon, 20 Jul 2020 13:01:18 +0200

Hi

I was recently investigating the state of CVE-2019-6706, and it seemsthat while this was fixed in 5.3 branch [1], it was not forward-portedto 5.4. Is that the case or am I missing some other change that makesthis nonissue?


Best Regards,
Jakub

[1]https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e

[CVE-2019-6706 discussion]http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html

Follow-Ups:
- Re: Is CVE-2019-6706 in Lua 5.4 fixed?, Luiz Henrique de Figueiredo

Prev by Date: A tricky way to determine Lua version (updated)
Next by Date: Re: Is CVE-2019-6706 in Lua 5.4 fixed?
Previous by thread: Re: A tricky way to determine Lua version (updated)
Next by thread: Re: Is CVE-2019-6706 in Lua 5.4 fixed?
Index(es):
- Date
- Thread