CVE-2020-24370 — Integer Underflow (Wrap or Wraparound) in Lua5.3

CWE-191 — Integer Underflow (Wrap or Wraparound)CWE-682 — Incorrect Calculation7 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

2.0%

top 16.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Lua5.3 Debian Lua5.4 Debian Linux +5 more

Timeline

PublishedAug 17

Latest updateMay 24

Description

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

▶debiandebian/lua5.3< lua5.3 5.3.6-1 (bookworm)

▶debiandebian/lua5.4< lua5.3 5.3.6-1 (bookworm)

▶NVDlua/lua11 versions+10

▶msrcmsrc/azure_linux_3.0_arm

▶msrcmsrc/azure_linux_3.0_x64

Also affects: Debian Linux 9.0, Fedora 31, 32

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-gfr4-c37g-mm3v: ldebug↗2022-05-24

▶

OSV

CVE-2020-24370: ldebug↗2020-08-17

▶

📋Vendor Advisories

Microsoft

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal as demonstrated by getlocal(32^31).↗2020-08-11

▶

Red Hat

lua: segmentation fault in getlocal and setlocal functions in ldebug.c↗2020-07-24

▶

Debian

CVE-2020-24370: lua5.3 - ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlo...↗2020

▶

💬Community

Bugzilla

CVE-2020-24370 lua: segmentation fault in getlocal and setlocal functions in ldebug.c↗2020-08-19

▶