Bug 30016

Summary: lua, lua5.3 new security issues CVE-2021-43519, CVE-2022-28805, and CVE-2022-33099
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Jani Välimaa <jani.valimaa>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: jani.valimaa, mageia, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: lua5.3-5.3.5-5.mga8.src.rpm, lua5.1-5.1.5-22.mga9.src.rpm CVE:
Status comment: lua5.1 (Cauldron, mga8) and lua5.3 (mga8) needs patched for CVE-2021-43519
Bug Depends on:    
Bug Blocks: 29971    

Description David Walser 2022-02-08 22:26:27 CET 
Fedora has issued an advisory today (February 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C7XHFYHGSZKL53VCLSJSAJ6VMFGAIXKO/

The issue is fixed upstream in 5.3.6 and 5.4.4.

I'm not sure if 5.1.x or 5.2.x are affected.

Cauldron is affected (lua) and Mageia 8 is affected (lua5.3 at least).
David Walser 2022-02-08 22:26:51 CET

Whiteboard: (none) => MGA8TOO
CC: (none) => jani.valimaa
Blocks: (none) => 29971

Comment 1 Lewis Smith 2022-02-09 11:51:42 CET 
Wally is clearly the maintainer of 'lua', so assigning thus.
But for 'lua5.3', it is down to NicolasL, CC'ing him. However, I cannot see it in Cauldron.

Assignee: bugsquad => jani.valimaa
CC: (none) => mageia

Comment 2 David Walser 2022-07-27 18:46:35 CEST 
Fedora has issued an advisory on July 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RJNJ66IFDUKWJJZXHGOLRGIA3HWWC36R/

They patched two more issues in lua 5.4.x.

Summary: lua, lua5.3 new security issue CVE-2021-43519 => lua, lua5.3 new security issues CVE-2021-43519, CVE-2022-28805, and CVE-2022-33099

Comment 3 Jani Välimaa 2022-09-03 12:05:58 CEST 
According to Debian only lua 5.4 is affected to CVE-2022-28805 and CVE-2022-33099.

https://security-tracker.debian.org/tracker/CVE-2022-28805
https://security-tracker.debian.org/tracker/CVE-2022-33099

Lua 5.4 is currently only available in Cauldron and its lua-5.4.4-2.mga9 includes fixes for upstream reported bugs, including CVE-2021-43519, CVE-2022-28805, and CVE-2022-33099.
Comment 4 David Walser 2022-09-03 16:42:33 CEST 
Yeah I see Cauldron has been updated to 5.4.4.  Does it also fix CVE-2021-44647?

Source RPM: lua-5.4.3-6.mga9.src.rpm, lua5.3-5.3.5-5.mga8.src.rpm => lua5.3-5.3.5-5.mga8.src.rpm, lua5.1-5.1.5-22.mga9.src.rpm

Comment 5 Jani Välimaa 2022-09-03 17:05:42 CEST 
(In reply to David Walser from comment #4)
> Yeah I see Cauldron has been updated to 5.4.4.  Does it also fix
> CVE-2021-44647?
Yes, IINM fix for CVE-2021-44647 is the same as https://www.lua.org/bugs.html#5.4.3-9 and is fixed in 5.4.4.
David Walser 2022-11-02 21:15:48 CET

Status comment: (none) => lua5.1 (Cauldron, mga8) and lua5.3 (mga8) needs patched for CVE-2021-43519

Comment 6 Nicolas Salguero 2024-03-12 11:42:46 CET 
Mageia 8 EOL.

Resolution: (none) => OLD
Whiteboard: MGA8TOO => (none)
Status: NEW => RESOLVED
Version: Cauldron => 8
CC: (none) => nicolas.salguero