Re: CVE-2021-43519

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: CVE-2021-43519
From: Roberto Ierusalimschy <roberto@...>
Date: Mon, 26 Jun 2023 11:51:03 -0300

> Is the range of affected versions from the CVE description incorrect?  If so
> could you please confirm that only v5.4.2 and v5.4.3 are affected, and that the
> vulnerability was introduced by the aforementioned 287b302a?

Except for 5.4, I only tested the current releases of each version.
I got the same results as you: Lua 5.0.3 crashed (but from another bug),
5.1.5, 5.2.4, and 5.3.6 work correctly. 5.4.0, 5.4.1, 5.4.4, and 5.4.6
also work correctly. The bug probably was introduced in 287b302a; that
is easy to check (but I didn't).

I also have doubts about the bug description: "allows attackers to
perform a Denial of Service via a crafted script file." I don't think
we need a bug to do that.

-- Roberto

References:
- CVE-2021-43519, Guilhem Moulin

Prev by Date: Re: Lua on an FPGA
Next by Date: [ANN] LPeg 1.1 -- Parsing Expression Grammars For Lua
Previous by thread: CVE-2021-43519
Next by thread: Lua on an FPGA
Index(es):
- Date
- Thread