| Package | luajit |
|---|---|
| Version | 2.1.0~beta3+dfsg-5.1+deb10u1 (buster) |
| Related CVEs | CVE-2019-19391 CVE-2020-15890 CVE-2020-24372 CVE-2024-25176 CVE-2024-25177 CVE-2024-25178 |
- CVE-2019-19391
-
It was discovered that
debug.getinfo()has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and>options are mishandled.Note: The LuaJIT project owner disputes the vulnerability and states that the debug library is unsafe by design.
- CVE-2020-15890
-
Yongheng Chen discovered an out-of-bounds read because
__gchandler frame traversal is mishandled. - CVE-2020-24372
-
Yongheng Chen discovered out-of-bounds read in
lj_err_run(). - CVE-2024-25176
-
Kutyavin Maxim discovered a stack-buffer-overflow in
lj_strfmt_wfnum(). - CVE-2024-25177
-
Kutyavin Maxim discovered an unsinking of
IR_FSTOREforNULLmetatable. - CVE-2024-25178
-
Kutyavin Maxim discovered an out-of-bounds read in the stack-overflow handler.
For Debian 10 buster, these problems have been fixed in version 2.1.0~beta3+dfsg-5.1+deb10u1.
We recommend that you upgrade your luajit packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.