30016 – lua, lua5.3 new security issues CVE-2021-43519, CVE-2022-28805, and CVE-2022-33099

Bug 30016 - lua, lua5.3 new security issues CVE-2021-43519, CVE-2022-28805, and CVE-2022-33099

Summary: lua, lua5.3 new security issues CVE-2021-43519, CVE-2022-28805, and CVE-2022-...

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Jani Välimaa
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	29971
	Show dependency tree / graph

Reported:	2022-02-08 22:26 CET by David Walser
Modified:	2024-03-12 11:42 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	lua5.3-5.3.5-5.mga8.src.rpm, lua5.1-5.1.5-22.mga9.src.rpm
CVE:
Status comment:	lua5.1 (Cauldron, mga8) and lua5.3 (mga8) needs patched for CVE-2021-43519

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-02-08 22:26:27 CET

Fedora has issued an advisory today (February 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C7XHFYHGSZKL53VCLSJSAJ6VMFGAIXKO/

The issue is fixed upstream in 5.3.6 and 5.4.4.

I'm not sure if 5.1.x or 5.2.x are affected.

Cauldron is affected (lua) and Mageia 8 is affected (lua5.3 at least).

David Walser 2022-02-08 22:26:51 CET

Whiteboard: (none) => MGA8TOO
CC: (none) => jani.valimaa
Blocks: (none) => 29971

Comment 1 Lewis Smith 2022-02-09 11:51:42 CET

Wally is clearly the maintainer of 'lua', so assigning thus.
But for 'lua5.3', it is down to NicolasL, CC'ing him. However, I cannot see it in Cauldron.

Assignee: bugsquad => jani.valimaa
CC: (none) => mageia

Comment 2 David Walser 2022-07-27 18:46:35 CEST

Fedora has issued an advisory on July 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RJNJ66IFDUKWJJZXHGOLRGIA3HWWC36R/

They patched two more issues in lua 5.4.x.

Summary: lua, lua5.3 new security issue CVE-2021-43519 => lua, lua5.3 new security issues CVE-2021-43519, CVE-2022-28805, and CVE-2022-33099

Comment 3 Jani Välimaa 2022-09-03 12:05:58 CEST

According to Debian only lua 5.4 is affected to CVE-2022-28805 and CVE-2022-33099.

https://security-tracker.debian.org/tracker/CVE-2022-28805
https://security-tracker.debian.org/tracker/CVE-2022-33099

Lua 5.4 is currently only available in Cauldron and its lua-5.4.4-2.mga9 includes fixes for upstream reported bugs, including CVE-2021-43519, CVE-2022-28805, and CVE-2022-33099.

Comment 4 David Walser 2022-09-03 16:42:33 CEST

Yeah I see Cauldron has been updated to 5.4.4.  Does it also fix CVE-2021-44647?

Source RPM: lua-5.4.3-6.mga9.src.rpm, lua5.3-5.3.5-5.mga8.src.rpm => lua5.3-5.3.5-5.mga8.src.rpm, lua5.1-5.1.5-22.mga9.src.rpm

Comment 5 Jani Välimaa 2022-09-03 17:05:42 CEST

(In reply to David Walser from comment #4)
> Yeah I see Cauldron has been updated to 5.4.4.  Does it also fix
> CVE-2021-44647?
Yes, IINM fix for CVE-2021-44647 is the same as https://www.lua.org/bugs.html#5.4.3-9 and is fixed in 5.4.4.

David Walser 2022-11-02 21:15:48 CET

Status comment: (none) => lua5.1 (Cauldron, mga8) and lua5.3 (mga8) needs patched for CVE-2021-43519

Comment 6 Nicolas Salguero 2024-03-12 11:42:46 CET

Mageia 8 EOL.

Resolution: (none) => OLD
Whiteboard: MGA8TOO => (none)
Status: NEW => RESOLVED
Version: Cauldron => 8
CC: (none) => nicolas.salguero

Note You need to log in before you can comment on or make changes to this bug.