Hi, On Tue, 26 Aug 2025 at 08:02:16 +0200, Salvatore Bonaccorso wrote: > Small remark, the target distribution needs to be bookworm for the > point release update. Oops right, thanks Salvatore! Attaching updated debdiff with the correct distribution (no other changes). Cheers -- Guilhem.
diffstat for luajit-2.1.0~beta3+git20220320+dfsg luajit-2.1.0~beta3+git20220320+dfsg
changelog | 12 +++
patches/CVE-2024-25176.patch | 27 +++++++
patches/CVE-2024-25177.patch | 42 +++++++++++
patches/CVE-2024-25178.patch | 163 +++++++++++++++++++++++++++++++++++++++++++
patches/series | 3
salsa-ci.yml | 9 ++
6 files changed, 256 insertions(+)
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog 2022-09-08 20:16:27.000000000 +0200
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog 2025-08-25 13:39:40.000000000 +0200
@@ -1,3 +1,15 @@
+luajit (2.1.0~beta3+git20220320+dfsg-4.1+deb12u1) bookworm; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2024-25176: Stack-buffer-overflow in lj_strfmt_wfnum() in
+ lj_strfmt_num.c.
+ * Fix CVE-2024-25177: Unsinking of IR_FSTORE for NULL metatable, which leads
+ to Denial of Service.
+ * Fix CVE-2024-25178: Out-of-bounds read in the stack-overflow handler in
+ lj_state.c.
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 25 Aug 2025 13:39:40 +0200
+
luajit (2.1.0~beta3+git20220320+dfsg-4.1) unstable; urgency=medium
* Non-maintainer upload
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25176.patch luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25176.patch
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25176.patch 1970-01-01 01:00:00.000000000 +0100
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25176.patch 2025-08-25 13:39:40.000000000 +0200
@@ -0,0 +1,27 @@
+From: Mike Pall <mike>
+Date: Thu, 25 Jan 2024 13:23:48 +0100
+Subject: Fix zero stripping in %g number formatting.
+
+Reported by pwnhacker0x18. #1149
+
+Origin: https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc
+Bug: https://github.com/LuaJIT/LuaJIT/issues/1149
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-25176
+---
+ src/lj_strfmt_num.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
+index 3c60695..4121489 100644
+--- a/src/lj_strfmt_num.c
++++ b/src/lj_strfmt_num.c
+@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
+ prec--;
+ if (!i) {
+ if (ndlo == ndhi) { prec = 0; break; }
+- lj_strfmt_wuint9(tail, nd[++ndlo]);
++ ndlo = (ndlo + 1) & 0x3f;
++ lj_strfmt_wuint9(tail, nd[ndlo]);
+ i = 9;
+ }
+ }
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25177.patch luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25177.patch
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25177.patch 1970-01-01 01:00:00.000000000 +0100
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25177.patch 2025-08-25 13:39:40.000000000 +0200
@@ -0,0 +1,42 @@
+From: Mike Pall <mike>
+Date: Tue, 23 Jan 2024 18:58:52 +0100
+Subject: Fix unsinking of IR_FSTORE for NULL metatable.
+
+Reported by pwnhacker0x18. #1147
+
+Origin: https://github.com/LuaJIT/LuaJIT/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f
+Bug: https://github.com/LuaJIT/LuaJIT/issues/1147
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-25177
+---
+ src/lj_snap.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lj_snap.c b/src/lj_snap.c
+index 4140fdb..d2c454c 100644
+--- a/src/lj_snap.c
++++ b/src/lj_snap.c
+@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
+ case IR_KNUM: case IR_KINT64:
+ return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
+ case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir)); /* Continuation. */
++ case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
+ default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
+ }
+ }
+@@ -882,9 +883,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
+ if (irk->o == IR_FREF) {
+ lj_assertJ(irk->op2 == IRFL_TAB_META,
+ "sunk store with bad field %d", irk->op2);
+- snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
+- /* NOBARRIER: The table is new (marked white). */
+- setgcref(t->metatable, obj2gco(tabV(&tmp)));
++ if (T->ir[irs->op2].o == IR_KNULL) {
++ setgcrefnull(t->metatable);
++ } else {
++ snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
++ /* NOBARRIER: The table is new (marked white). */
++ setgcref(t->metatable, obj2gco(tabV(&tmp)));
++ }
+ } else {
+ irk = &T->ir[irk->op2];
+ if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25178.patch luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25178.patch
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25178.patch 1970-01-01 01:00:00.000000000 +0100
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25178.patch 2025-08-25 13:39:40.000000000 +0200
@@ -0,0 +1,163 @@
+From: Mike Pall <mike>
+Date: Sun, 4 Feb 2024 16:34:30 +0100
+Subject: Rework stack overflow handling.
+
+Reported by pwnhacker0x18. Fixed by Peter Cawley. #1152
+
+Origin: https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8
+Origin: https://github.com/LuaJIT/LuaJIT/commit/0d313b243194a0b8d2399d8b549ca5a0ff234db5
+Bug: https://github.com/LuaJIT/LuaJIT/issues/1152
+Bug-Debian_security: https://security-tracker.debian.org/tracker/CVE-2024-25178
+---
+ src/lj_debug.c | 1 +
+ src/lj_err.c | 22 ++++++++++++++++++++--
+ src/lj_err.h | 1 +
+ src/lj_state.c | 55 ++++++++++++++++++++++++++++++++++++++++++-------------
+ 4 files changed, 64 insertions(+), 15 deletions(-)
+
+diff --git a/src/lj_debug.c b/src/lj_debug.c
+index 112f535..861fac6 100644
+--- a/src/lj_debug.c
++++ b/src/lj_debug.c
+@@ -64,6 +64,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
+ if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf))
+ return NO_BCPOS;
+ ins = cframe_pc(cf); /* Only happens during error/hook handling. */
++ if (!ins) return NO_BCPOS;
+ } else {
+ if (frame_islua(nextframe)) {
+ ins = frame_pc(nextframe);
+diff --git a/src/lj_err.c b/src/lj_err.c
+index 563c770..4d74f6d 100644
+--- a/src/lj_err.c
++++ b/src/lj_err.c
+@@ -777,6 +777,14 @@ LJ_NOINLINE void lj_err_mem(lua_State *L)
+ {
+ if (L->status == LUA_ERRERR+1) /* Don't touch the stack during lua_open. */
+ lj_vm_unwind_c(L->cframe, LUA_ERRMEM);
++ if (curr_funcisL(L)) {
++ L->top = curr_topL(L);
++ if (LJ_UNLIKELY(L->top > tvref(L->maxstack))) {
++ /* The current Lua frame violates the stack. Replace it with a dummy. */
++ L->top = L->base;
++ setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
++ }
++ }
+ setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM));
+ lj_err_throw(L, LUA_ERRMEM);
+ }
+@@ -837,9 +845,11 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
+ {
+ ptrdiff_t ef = (LJ_HASJIT && tvref(G(L)->jit_base)) ? 0 : finderrfunc(L);
+ if (ef) {
+- TValue *errfunc = restorestack(L, ef);
+- TValue *top = L->top;
++ TValue *errfunc, *top;
++ lj_state_checkstack(L, LUA_MINSTACK * 2); /* Might raise new error. */
+ lj_trace_abort(G(L));
++ errfunc = restorestack(L, ef);
++ top = L->top;
+ if (!tvisfunc(errfunc) || L->status == LUA_ERRERR) {
+ setstrV(L, top-1, lj_err_str(L, LJ_ERR_ERRERR));
+ lj_err_throw(L, LUA_ERRERR);
+@@ -855,6 +865,7 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
+ }
+
+ #if LJ_HASJIT
++/* Rethrow error after doing a trace exit. */
+ LJ_NOINLINE void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode)
+ {
+ if (errcode == LUA_ERRRUN)
+@@ -864,6 +875,13 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode)
+ }
+ #endif
+
++/* Stack overflow error. */
++void LJ_FASTCALL lj_err_stkov(lua_State *L)
++{
++ lj_debug_addloc(L, err2msg(LJ_ERR_STKOV), L->base-1, NULL);
++ lj_err_run(L);
++}
++
+ /* Formatted runtime error message. */
+ LJ_NORET LJ_NOINLINE static void err_msgv(lua_State *L, ErrMsg em, ...)
+ {
+diff --git a/src/lj_err.h b/src/lj_err.h
+index bd4de9a..a3aaa75 100644
+--- a/src/lj_err.h
++++ b/src/lj_err.h
+@@ -23,6 +23,7 @@ LJ_DATA const char *lj_err_allmsg;
+ LJ_FUNC GCstr *lj_err_str(lua_State *L, ErrMsg em);
+ LJ_FUNCA_NORET void LJ_FASTCALL lj_err_throw(lua_State *L, int errcode);
+ LJ_FUNC_NORET void lj_err_mem(lua_State *L);
++LJ_FUNC_NORET void LJ_FASTCALL lj_err_stkov(lua_State *L);
+ LJ_FUNC_NORET void LJ_FASTCALL lj_err_run(lua_State *L);
+ #if LJ_HASJIT
+ LJ_FUNCA_NORET void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode);
+diff --git a/src/lj_state.c b/src/lj_state.c
+index 0b9c46b..c870aae 100644
+--- a/src/lj_state.c
++++ b/src/lj_state.c
+@@ -102,20 +102,49 @@ void lj_state_shrinkstack(lua_State *L, MSize used)
+ /* Try to grow stack. */
+ void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
+ {
+- MSize n;
+- if (L->stacksize > LJ_STACK_MAXEX) /* Overflow while handling overflow? */
+- lj_err_throw(L, LUA_ERRERR);
+- n = L->stacksize + need;
+- if (n > LJ_STACK_MAX) {
+- n += 2*LUA_MINSTACK;
+- } else if (n < 2*L->stacksize) {
+- n = 2*L->stacksize;
+- if (n >= LJ_STACK_MAX)
+- n = LJ_STACK_MAX;
++ MSize n = L->stacksize + need;
++ if (LJ_LIKELY(n < LJ_STACK_MAX)) { /* The stack can grow as requested. */
++ if (n < 2 * L->stacksize) { /* Try to double the size. */
++ n = 2 * L->stacksize;
++ if (n > LJ_STACK_MAX)
++ n = LJ_STACK_MAX;
++ }
++ resizestack(L, n);
++ } else { /* Request would overflow. Raise a stack overflow error. */
++ if (LJ_HASJIT) {
++ TValue *base = tvref(G(L)->jit_base);
++ if (base) L->base = base;
++ }
++ if (curr_funcisL(L)) {
++ L->top = curr_topL(L);
++ if (L->top > tvref(L->maxstack)) {
++ /* The current Lua frame violates the stack, so replace it with a
++ ** dummy. This can happen when BC_IFUNCF is trying to grow the stack.
++ */
++ L->top = L->base;
++ setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
++ }
++ }
++ if (L->stacksize <= LJ_STACK_MAXEX) {
++ /* An error handler might want to inspect the stack overflow error, but
++ ** will need some stack space to run in. We give it a stack size beyond
++ ** the normal limit in order to do so, then rely on lj_state_relimitstack
++ ** calls during unwinding to bring us back to a convential stack size.
++ ** The + 1 is space for the error message, and 2 * LUA_MINSTACK is for
++ ** the lj_state_checkstack() call in lj_err_run().
++ */
++ resizestack(L, LJ_STACK_MAX + 1 + 2 * LUA_MINSTACK);
++ lj_err_stkov(L); /* May invoke an error handler. */
++ } else {
++ /* If we're here, then the stack overflow error handler is requesting
++ ** to grow the stack even further. We have no choice but to abort the
++ ** error handler.
++ */
++ GCstr *em = lj_err_str(L, LJ_ERR_STKOV); /* Might OOM. */
++ setstrV(L, L->top++, em); /* There is always space to push an error. */
++ lj_err_throw(L, LUA_ERRERR); /* Does not invoke an error handler. */
++ }
+ }
+- resizestack(L, n);
+- if (L->stacksize > LJ_STACK_MAXEX)
+- lj_err_msg(L, LJ_ERR_STKOV);
+ }
+
+ void LJ_FASTCALL lj_state_growstack1(lua_State *L)
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/series luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/series
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/series 2022-09-08 20:16:27.000000000 +0200
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/series 2025-08-25 13:39:40.000000000 +0200
@@ -1,3 +1,6 @@
0001-consider-Hurd-as-a-POSIX-system.patch
0002-Enable-debugging-symbols-in-the-build.patch
0003-Get-rid-of-LUAJIT_VERSION_SYM-that-changes-ABI-on-ev.patch
+CVE-2024-25176.patch
+CVE-2024-25177.patch
+CVE-2024-25178.patch
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/salsa-ci.yml luajit-2.1.0~beta3+git20220320+dfsg/debian/salsa-ci.yml
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/salsa-ci.yml 2025-08-25 13:39:40.000000000 +0200
@@ -0,0 +1,9 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bookworm'
+ SALSA_CI_DISABLE_LINTIAN: 1
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_BLHC: 1
Attachment:
signature.asc
Description: PGP signature