Summary
A heap-based overflow vulnerability was found in the way Lua, a simple, extensible, embeddable programming language, handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code execution.
Solution
For the stable distribution (wheezy), this problem has been fixed in version 5.2.1-3+deb7u1.
For the testing distribution (jessie), this problem has been fixed in version 5.2.3-1.
For the unstable distribution (sid), this problem has been fixed in version 5.2.3-1.
We recommend that you upgrade your lua5.2 packages.
Insight
Lua is a powerful, light-weight programming language designed for extending applications. The language engine is accessible as a library, having a C API which allows the application to exchange data with Lua programs and also to extend Lua with C functions. Lua is also used as a general-purpose, stand-alone language through the simple command line interpreter provided.
Affected
lua5.2 on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-5461 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:N/A:P
Related Vulnerabilities