ALAS-2024-533

2024-05-09: CVE-2022-33099 was added to this advisory.

In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. (CVE-2021-45985)

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs. (CVE-2022-33099)

aarch64:
    lua-libs-debuginfo-5.4.4-3.amzn2023.0.2.aarch64
    lua-libs-5.4.4-3.amzn2023.0.2.aarch64
    lua-devel-5.4.4-3.amzn2023.0.2.aarch64
    lua-static-5.4.4-3.amzn2023.0.2.aarch64
    lua-5.4.4-3.amzn2023.0.2.aarch64
    lua-debuginfo-5.4.4-3.amzn2023.0.2.aarch64
    lua-debugsource-5.4.4-3.amzn2023.0.2.aarch64

src:
    lua-5.4.4-3.amzn2023.0.2.src

x86_64:
    lua-libs-debuginfo-5.4.4-3.amzn2023.0.2.x86_64
    lua-static-5.4.4-3.amzn2023.0.2.x86_64
    lua-devel-5.4.4-3.amzn2023.0.2.x86_64
    lua-5.4.4-3.amzn2023.0.2.x86_64
    lua-debugsource-5.4.4-3.amzn2023.0.2.x86_64
    lua-libs-5.4.4-3.amzn2023.0.2.x86_64
    lua-debuginfo-5.4.4-3.amzn2023.0.2.x86_64