lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> Is the range of affected versions from the CVE description incorrect?  If so
> could you please confirm that only v5.4.2 and v5.4.3 are affected, and that the
> vulnerability was introduced by the aforementioned 287b302a?

Except for 5.4, I only tested the current releases of each version.
I got the same results as you: Lua 5.0.3 crashed (but from another bug),
5.1.5, 5.2.4, and 5.3.6 work correctly. 5.4.0, 5.4.1, 5.4.4, and 5.4.6
also work correctly. The bug probably was introduced in 287b302a; that
is easy to check (but I didn't).

I also have doubts about the bug description: "allows attackers to
perform a Denial of Service via a crafted script file." I don't think
we need a bug to do that.

-- Roberto