Amazon Linux 2022 Security Advisory: ALAS-2022-176
Advisory Release Date: 2022-11-01 21:24 Pacific
Advisory Updated Date: 2022-11-03 21:01 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
A stack overflow issue was discovered in Lua in the lua_resume() function of ldo.c. This flaw allows a local attacker to pass a specially crafted file to the Lua Interpreter, causing a crash that leads to a denial of service. (CVE-2021-43519)
A flaw was found in Lua. An SEGV crash in the funcnamefromcode() function in ldebug.c during error handling occurs in __close metamethods. This flaw allows an attacker to cause a denial of service. (CVE-2021-44647)
A heap buffer-overflow vulnerability was found in Lua. The flaw occurs due to vulnerable code present in the lparser.c function of Lua that allows the execution of untrusted Lua code into a system, resulting in malicious activity. (CVE-2022-28805)
A vulnerability was found in Lua. During error handling, the luaG_errormsg() component uses slots from EXTRA_STACK. Some errors can recur such as a string overflow while creating an error message in luaG_runerror, or a C-stack overflow before calling the message handler, causing a crash that leads to a denial of service. (CVE-2022-33099)
Affected Packages:
lua
Issue Correction:
Run dnf update lua --releasever=2022.0.20221102 to update your system.
aarch64:
lua-libs-debuginfo-5.4.4-3.amzn2022.0.1.aarch64
lua-5.4.4-3.amzn2022.0.1.aarch64
lua-static-5.4.4-3.amzn2022.0.1.aarch64
lua-libs-5.4.4-3.amzn2022.0.1.aarch64
lua-devel-5.4.4-3.amzn2022.0.1.aarch64
lua-debuginfo-5.4.4-3.amzn2022.0.1.aarch64
lua-debugsource-5.4.4-3.amzn2022.0.1.aarch64
src:
lua-5.4.4-3.amzn2022.0.1.src
x86_64:
lua-libs-debuginfo-5.4.4-3.amzn2022.0.1.x86_64
lua-debugsource-5.4.4-3.amzn2022.0.1.x86_64
lua-libs-5.4.4-3.amzn2022.0.1.x86_64
lua-debuginfo-5.4.4-3.amzn2022.0.1.x86_64
lua-static-5.4.4-3.amzn2022.0.1.x86_64
lua-devel-5.4.4-3.amzn2022.0.1.x86_64
lua-5.4.4-3.amzn2022.0.1.x86_64