CVE-2022-28805

Name	CVE-2022-28805
Description	singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1010265

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
lua5.1 (PTS)	jessie	5.1.5-7.1	fixed
	buster, bullseye, stretch	5.1.5-8.1	fixed
	sid, trixie, bookworm	5.1.5-9	fixed
lua5.2 (PTS)	jessie	5.2.3-1.1	fixed
	buster, bullseye, stretch	5.2.4-1.1	fixed
	sid, trixie, bookworm	5.2.4-3	fixed
lua5.3 (PTS)	stretch (security)	5.3.3-1+deb9u1	fixed
	stretch (lts), stretch	5.3.3-1+deb9u2	fixed
	buster (security), buster, buster (lts)	5.3.3-1.1+deb10u1	fixed
	bullseye	5.3.3-1.1+deb11u1	fixed
	sid, trixie, bookworm	5.3.6-2	fixed
lua5.4 (PTS)	bullseye	5.4.2-2	vulnerable
	bookworm	5.4.4-3+deb12u1	fixed
	trixie	5.4.6-3	fixed
	sid	5.4.7-1	fixed
lua50 (PTS)	jessie	5.0.3-7	fixed
	buster, stretch	5.0.3-8	fixed
	bullseye	5.0.3-8.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
lua5.1	source	(unstable)	(not affected)
lua5.2	source	(unstable)	(not affected)
lua5.3	source	(unstable)	(not affected)
lua5.4	source	(unstable)	5.4.4-2	1010265
lua50	source	(unstable)	(not affected)

Notes

[bullseye] - lua5.4 <no-dsa> (Minor issue)
- lua5.3 <not-affected> (Specific to 5.4, see #1010265)
- lua5.2 <not-affected> (Specific to 5.4, see #1010265)
- lua5.1 <not-affected> (Specific to 5.4, see #1010265)
- lua50 <not-affected> (Specific to 5.4, see #1010265)
https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa
http://lua-users.org/lists/lua-l/2022-02/msg00001.html
http://lua-users.org/lists/lua-l/2022-02/msg00070.html