-------------------------------------------------------------------------
Debian LTS Advisory DLA-4283-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
August 25, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : luajit
Version : 2.1.0~beta3+dfsg-5.3+deb11u1
CVE ID : CVE-2019-19391 CVE-2020-15890 CVE-2020-24372 CVE-2024-25176
CVE-2024-25177 CVE-2024-25178
Debian Bug : 946053 966148
Multiple vulnerabilities were found in luajit, a just in time compiler
for the Lua programming language, which could lead to denial of service.
CVE-2019-19391
It was discovered that debug.getinfo() has a type confusion issue
that leads to arbitrary memory write or read operations, because
certain cases involving valid stack levels and `>` options are
mishandled.
NOTE: The LuaJIT project owner disputes the vulnerability and states
that the debug library is unsafe by design.
CVE-2020-15890
Yongheng Chen discovered an out-of-bounds read because `__gc`
handler frame traversal is mishandled.
CVE-2020-24372
Yongheng Chen discovered out-of-bounds read in lj_err_run().
CVE-2024-25176
Kutyavin Maxim discovered a stack-buffer-overflow in
lj_strfmt_wfnum().
CVE-2024-25177
Kutyavin Maxim discovered an unsinking of IR_FSTORE for NULL
metatable.
CVE-2024-25178
Kutyavin Maxim discovered an out-of-bounds read in the
stack-overflow handler.
For Debian 11 bullseye, these problems have been fixed in version
2.1.0~beta3+dfsg-5.3+deb11u1.
We recommend that you upgrade your luajit packages.
For the detailed security status of luajit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/luajit
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature