ALAS2022-2022-176


Amazon Linux 2022 Security Advisory: ALAS-2022-176
Advisory Release Date: 2022-11-01 21:24 Pacific
Advisory Updated Date: 2022-11-03 21:01 Pacific
Severity: Medium

Issue Overview:

A stack overflow issue was discovered in Lua in the lua_resume() function of ldo.c. This flaw allows a local attacker to pass a specially crafted file to the Lua Interpreter, causing a crash that leads to a denial of service. (CVE-2021-43519)

A flaw was found in Lua. An SEGV crash in the funcnamefromcode() function in ldebug.c during error handling occurs in __close metamethods. This flaw allows an attacker to cause a denial of service. (CVE-2021-44647)

A heap buffer-overflow vulnerability was found in Lua. The flaw occurs due to vulnerable code present in the lparser.c function of Lua that allows the execution of untrusted Lua code into a system, resulting in malicious activity. (CVE-2022-28805)

A vulnerability was found in Lua. During error handling, the luaG_errormsg() component uses slots from EXTRA_STACK. Some errors can recur such as a string overflow while creating an error message in luaG_runerror, or a C-stack overflow before calling the message handler, causing a crash that leads to a denial of service. (CVE-2022-33099)


Affected Packages:

lua


Issue Correction:
Run dnf update lua --releasever=2022.0.20221102 to update your system.

New Packages:
aarch64:
    lua-libs-debuginfo-5.4.4-3.amzn2022.0.1.aarch64
    lua-5.4.4-3.amzn2022.0.1.aarch64
    lua-static-5.4.4-3.amzn2022.0.1.aarch64
    lua-libs-5.4.4-3.amzn2022.0.1.aarch64
    lua-devel-5.4.4-3.amzn2022.0.1.aarch64
    lua-debuginfo-5.4.4-3.amzn2022.0.1.aarch64
    lua-debugsource-5.4.4-3.amzn2022.0.1.aarch64

src:
    lua-5.4.4-3.amzn2022.0.1.src

x86_64:
    lua-libs-debuginfo-5.4.4-3.amzn2022.0.1.x86_64
    lua-debugsource-5.4.4-3.amzn2022.0.1.x86_64
    lua-libs-5.4.4-3.amzn2022.0.1.x86_64
    lua-debuginfo-5.4.4-3.amzn2022.0.1.x86_64
    lua-static-5.4.4-3.amzn2022.0.1.x86_64
    lua-devel-5.4.4-3.amzn2022.0.1.x86_64
    lua-5.4.4-3.amzn2022.0.1.x86_64