[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1112074: marked as done (bookworm-pu: package luajit/2.1.0~beta3+git20220320+dfsg-4.1+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1112074,
regarding bookworm-pu: package luajit/2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1112074: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112074
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: luajit@packages.debian.org, security@debian.org
Control: affects -1 + src:luajit
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

Fix <no-dsa> security issues CVE-2024-2517[6-8].

[ Impact ]

User will remain vulnerable to the aforementioned issues.  Upgrading
users might regress as the issues are now fixed in Bullseye LTS.

[ Tests ]

 1. Manual tests using the PoC found in the upstream issues.
 2. Manual run of openresty's test suites using snapshots from spring 2022
    https://github.com/openresty/luajit2/tree/v2.1-20220309/t
    https://github.com/openresty/luajit2-test-suite/tree/908732e0a9a9b4bc7c327210a52272a570f47323

[ Risks ]

Low risks; upstream uses a rolling release model but patches were merged
to the v2.1 branch and apply cleanly.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * Fix CVE-2024-25176: Stack-buffer-overflow in lj_strfmt_wfnum() in
    lj_strfmt_num.c.
  * Fix CVE-2024-25177: Unsinking of IR_FSTORE for NULL metatable, which leads
    to Denial of Service.
  * Fix CVE-2024-25178: Out-of-bounds read in the stack-overflow handler in
    lj_state.c.

[ Other info ]

Tag and individual commits can be found at the LTS team fork:
https://salsa.debian.org/lts-team/packages/luajit/-/tree/debian/bookworm?ref_type=heads

-- 
Guilhem.

diffstat for luajit-2.1.0~beta3+git20220320+dfsg luajit-2.1.0~beta3+git20220320+dfsg

 changelog                    |   12 +++
 patches/CVE-2024-25176.patch |   27 +++++++
 patches/CVE-2024-25177.patch |   42 +++++++++++
 patches/CVE-2024-25178.patch |  163 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    3 
 salsa-ci.yml                 |    9 ++
 6 files changed, 256 insertions(+)

diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog	2022-09-08 20:16:27.000000000 +0200
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog	2025-08-25 13:39:40.000000000 +0200
@@ -1,3 +1,15 @@
+luajit (2.1.0~beta3+git20220320+dfsg-4.1+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2024-25176: Stack-buffer-overflow in lj_strfmt_wfnum() in
+    lj_strfmt_num.c.
+  * Fix CVE-2024-25177: Unsinking of IR_FSTORE for NULL metatable, which leads
+    to Denial of Service.
+  * Fix CVE-2024-25178: Out-of-bounds read in the stack-overflow handler in
+    lj_state.c.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 25 Aug 2025 13:39:40 +0200
+
 luajit (2.1.0~beta3+git20220320+dfsg-4.1) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25176.patch luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25176.patch
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25176.patch	1970-01-01 01:00:00.000000000 +0100
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25176.patch	2025-08-25 13:39:40.000000000 +0200
@@ -0,0 +1,27 @@
+From: Mike Pall <mike>
+Date: Thu, 25 Jan 2024 13:23:48 +0100
+Subject: Fix zero stripping in %g number formatting.
+
+Reported by pwnhacker0x18. #1149
+
+Origin: https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc
+Bug: https://github.com/LuaJIT/LuaJIT/issues/1149
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-25176
+---
+ src/lj_strfmt_num.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
+index 3c60695..4121489 100644
+--- a/src/lj_strfmt_num.c
++++ b/src/lj_strfmt_num.c
+@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
+ 	    prec--;
+ 	    if (!i) {
+ 	      if (ndlo == ndhi) { prec = 0; break; }
+-	      lj_strfmt_wuint9(tail, nd[++ndlo]);
++	      ndlo = (ndlo + 1) & 0x3f;
++	      lj_strfmt_wuint9(tail, nd[ndlo]);
+ 	      i = 9;
+ 	    }
+ 	  }
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25177.patch luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25177.patch
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25177.patch	1970-01-01 01:00:00.000000000 +0100
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25177.patch	2025-08-25 13:39:40.000000000 +0200
@@ -0,0 +1,42 @@
+From: Mike Pall <mike>
+Date: Tue, 23 Jan 2024 18:58:52 +0100
+Subject: Fix unsinking of IR_FSTORE for NULL metatable.
+
+Reported by pwnhacker0x18. #1147
+
+Origin: https://github.com/LuaJIT/LuaJIT/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f
+Bug: https://github.com/LuaJIT/LuaJIT/issues/1147
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-25177
+---
+ src/lj_snap.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lj_snap.c b/src/lj_snap.c
+index 4140fdb..d2c454c 100644
+--- a/src/lj_snap.c
++++ b/src/lj_snap.c
+@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
+   case IR_KNUM: case IR_KINT64:
+     return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
+   case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir));  /* Continuation. */
++  case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
+   default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
+   }
+ }
+@@ -882,9 +883,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
+ 	if (irk->o == IR_FREF) {
+ 	  lj_assertJ(irk->op2 == IRFL_TAB_META,
+ 		     "sunk store with bad field %d", irk->op2);
+-	  snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
+-	  /* NOBARRIER: The table is new (marked white). */
+-	  setgcref(t->metatable, obj2gco(tabV(&tmp)));
++	  if (T->ir[irs->op2].o == IR_KNULL) {
++	    setgcrefnull(t->metatable);
++	  } else {
++	    snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
++	    /* NOBARRIER: The table is new (marked white). */
++	    setgcref(t->metatable, obj2gco(tabV(&tmp)));
++	  }
+ 	} else {
+ 	  irk = &T->ir[irk->op2];
+ 	  if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25178.patch luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25178.patch
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25178.patch	1970-01-01 01:00:00.000000000 +0100
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/CVE-2024-25178.patch	2025-08-25 13:39:40.000000000 +0200
@@ -0,0 +1,163 @@
+From: Mike Pall <mike>
+Date: Sun, 4 Feb 2024 16:34:30 +0100
+Subject: Rework stack overflow handling.
+
+Reported by pwnhacker0x18. Fixed by Peter Cawley. #1152
+
+Origin: https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8
+Origin: https://github.com/LuaJIT/LuaJIT/commit/0d313b243194a0b8d2399d8b549ca5a0ff234db5
+Bug: https://github.com/LuaJIT/LuaJIT/issues/1152
+Bug-Debian_security: https://security-tracker.debian.org/tracker/CVE-2024-25178
+---
+ src/lj_debug.c |  1 +
+ src/lj_err.c   | 22 ++++++++++++++++++++--
+ src/lj_err.h   |  1 +
+ src/lj_state.c | 55 ++++++++++++++++++++++++++++++++++++++++++-------------
+ 4 files changed, 64 insertions(+), 15 deletions(-)
+
+diff --git a/src/lj_debug.c b/src/lj_debug.c
+index 112f535..861fac6 100644
+--- a/src/lj_debug.c
++++ b/src/lj_debug.c
+@@ -64,6 +64,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
+     if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf))
+       return NO_BCPOS;
+     ins = cframe_pc(cf);  /* Only happens during error/hook handling. */
++    if (!ins) return NO_BCPOS;
+   } else {
+     if (frame_islua(nextframe)) {
+       ins = frame_pc(nextframe);
+diff --git a/src/lj_err.c b/src/lj_err.c
+index 563c770..4d74f6d 100644
+--- a/src/lj_err.c
++++ b/src/lj_err.c
+@@ -777,6 +777,14 @@ LJ_NOINLINE void lj_err_mem(lua_State *L)
+ {
+   if (L->status == LUA_ERRERR+1)  /* Don't touch the stack during lua_open. */
+     lj_vm_unwind_c(L->cframe, LUA_ERRMEM);
++  if (curr_funcisL(L)) {
++    L->top = curr_topL(L);
++    if (LJ_UNLIKELY(L->top > tvref(L->maxstack))) {
++      /* The current Lua frame violates the stack. Replace it with a dummy. */
++      L->top = L->base;
++      setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
++    }
++  }
+   setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM));
+   lj_err_throw(L, LUA_ERRMEM);
+ }
+@@ -837,9 +845,11 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
+ {
+   ptrdiff_t ef = (LJ_HASJIT && tvref(G(L)->jit_base)) ? 0 : finderrfunc(L);
+   if (ef) {
+-    TValue *errfunc = restorestack(L, ef);
+-    TValue *top = L->top;
++    TValue *errfunc, *top;
++    lj_state_checkstack(L, LUA_MINSTACK * 2);  /* Might raise new error. */
+     lj_trace_abort(G(L));
++    errfunc = restorestack(L, ef);
++    top = L->top;
+     if (!tvisfunc(errfunc) || L->status == LUA_ERRERR) {
+       setstrV(L, top-1, lj_err_str(L, LJ_ERR_ERRERR));
+       lj_err_throw(L, LUA_ERRERR);
+@@ -855,6 +865,7 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
+ }
+ 
+ #if LJ_HASJIT
++/* Rethrow error after doing a trace exit. */
+ LJ_NOINLINE void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode)
+ {
+   if (errcode == LUA_ERRRUN)
+@@ -864,6 +875,13 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode)
+ }
+ #endif
+ 
++/* Stack overflow error. */
++void LJ_FASTCALL lj_err_stkov(lua_State *L)
++{
++  lj_debug_addloc(L, err2msg(LJ_ERR_STKOV), L->base-1, NULL);
++  lj_err_run(L);
++}
++
+ /* Formatted runtime error message. */
+ LJ_NORET LJ_NOINLINE static void err_msgv(lua_State *L, ErrMsg em, ...)
+ {
+diff --git a/src/lj_err.h b/src/lj_err.h
+index bd4de9a..a3aaa75 100644
+--- a/src/lj_err.h
++++ b/src/lj_err.h
+@@ -23,6 +23,7 @@ LJ_DATA const char *lj_err_allmsg;
+ LJ_FUNC GCstr *lj_err_str(lua_State *L, ErrMsg em);
+ LJ_FUNCA_NORET void LJ_FASTCALL lj_err_throw(lua_State *L, int errcode);
+ LJ_FUNC_NORET void lj_err_mem(lua_State *L);
++LJ_FUNC_NORET void LJ_FASTCALL lj_err_stkov(lua_State *L);
+ LJ_FUNC_NORET void LJ_FASTCALL lj_err_run(lua_State *L);
+ #if LJ_HASJIT
+ LJ_FUNCA_NORET void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode);
+diff --git a/src/lj_state.c b/src/lj_state.c
+index 0b9c46b..c870aae 100644
+--- a/src/lj_state.c
++++ b/src/lj_state.c
+@@ -102,20 +102,49 @@ void lj_state_shrinkstack(lua_State *L, MSize used)
+ /* Try to grow stack. */
+ void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
+ {
+-  MSize n;
+-  if (L->stacksize > LJ_STACK_MAXEX)  /* Overflow while handling overflow? */
+-    lj_err_throw(L, LUA_ERRERR);
+-  n = L->stacksize + need;
+-  if (n > LJ_STACK_MAX) {
+-    n += 2*LUA_MINSTACK;
+-  } else if (n < 2*L->stacksize) {
+-    n = 2*L->stacksize;
+-    if (n >= LJ_STACK_MAX)
+-      n = LJ_STACK_MAX;
++  MSize n = L->stacksize + need;
++  if (LJ_LIKELY(n < LJ_STACK_MAX)) {  /* The stack can grow as requested. */
++    if (n < 2 * L->stacksize) {  /* Try to double the size. */
++      n = 2 * L->stacksize;
++      if (n > LJ_STACK_MAX)
++	n = LJ_STACK_MAX;
++    }
++    resizestack(L, n);
++  } else {  /* Request would overflow. Raise a stack overflow error. */
++    if (LJ_HASJIT) {
++      TValue *base = tvref(G(L)->jit_base);
++      if (base) L->base = base;
++    }
++    if (curr_funcisL(L)) {
++      L->top = curr_topL(L);
++      if (L->top > tvref(L->maxstack)) {
++	/* The current Lua frame violates the stack, so replace it with a
++	** dummy. This can happen when BC_IFUNCF is trying to grow the stack.
++	*/
++	L->top = L->base;
++	setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
++      }
++    }
++    if (L->stacksize <= LJ_STACK_MAXEX) {
++      /* An error handler might want to inspect the stack overflow error, but
++      ** will need some stack space to run in. We give it a stack size beyond
++      ** the normal limit in order to do so, then rely on lj_state_relimitstack
++      ** calls during unwinding to bring us back to a convential stack size.
++      ** The + 1 is space for the error message, and 2 * LUA_MINSTACK is for
++      ** the lj_state_checkstack() call in lj_err_run().
++      */
++      resizestack(L, LJ_STACK_MAX + 1 + 2 * LUA_MINSTACK);
++      lj_err_stkov(L);  /* May invoke an error handler. */
++    } else {
++      /* If we're here, then the stack overflow error handler is requesting
++      ** to grow the stack even further. We have no choice but to abort the
++      ** error handler.
++      */
++      GCstr *em = lj_err_str(L, LJ_ERR_STKOV);  /* Might OOM. */
++      setstrV(L, L->top++, em);  /* There is always space to push an error. */
++      lj_err_throw(L, LUA_ERRERR);  /* Does not invoke an error handler. */
++    }
+   }
+-  resizestack(L, n);
+-  if (L->stacksize > LJ_STACK_MAXEX)
+-    lj_err_msg(L, LJ_ERR_STKOV);
+ }
+ 
+ void LJ_FASTCALL lj_state_growstack1(lua_State *L)
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/series luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/series
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/series	2022-09-08 20:16:27.000000000 +0200
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/patches/series	2025-08-25 13:39:40.000000000 +0200
@@ -1,3 +1,6 @@
 0001-consider-Hurd-as-a-POSIX-system.patch
 0002-Enable-debugging-symbols-in-the-build.patch
 0003-Get-rid-of-LUAJIT_VERSION_SYM-that-changes-ABI-on-ev.patch
+CVE-2024-25176.patch
+CVE-2024-25177.patch
+CVE-2024-25178.patch
diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/salsa-ci.yml luajit-2.1.0~beta3+git20220320+dfsg/debian/salsa-ci.yml
--- luajit-2.1.0~beta3+git20220320+dfsg/debian/salsa-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ luajit-2.1.0~beta3+git20220320+dfsg/debian/salsa-ci.yml	2025-08-25 13:39:40.000000000 +0200
@@ -0,0 +1,9 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'bookworm'
+  SALSA_CI_DISABLE_LINTIAN: 1
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_BLHC: 1

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: