CVE-2019-19391

In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. When LuaJIT was originally developed, the expectation was that the entire debug library had no security guarantees and thus it made no sense to assign CVEs. However, not all users of later LuaJIT derivatives share this perspective

References

Affected packages

Debian:11 / luajit

Package

Name: luajit
Purl: pkg:deb/debian/luajit?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0~beta3+dfsg-5.3+deb11u1

Affected versions

2.*

2.1.0~beta3+dfsg-5.3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / luajit

Package

Name: luajit
Purl: pkg:deb/debian/luajit?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0~beta3+git20210112+dfsg-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / luajit

Package

Name: luajit
Purl: pkg:deb/debian/luajit?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0~beta3+git20210112+dfsg-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:14 / luajit

Package

Name: luajit
Purl: pkg:deb/debian/luajit?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0~beta3+git20210112+dfsg-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/moonjit/moonjit

Affected ranges

Type: GIT
Repo: https://github.com/moonjit/moonjit
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

99168476b9f6e1910057181428f2225b09458747

Affected versions

2.*

2.1.1

luajit-2.*

luajit-2.1.0-201909025

v2.*

v2.0.0

v2.0.0-beta1

v2.0.0-beta10

v2.0.0-beta11

v2.0.0-beta2

v2.0.0-beta2-hotfix2

v2.0.0-beta3

v2.0.0-beta4

v2.0.0-beta5

v2.0.0-beta6

v2.0.0-beta7

v2.0.0-beta8

v2.0.0-beta8-fixed

v2.0.0-beta9

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.1

v2.0.1-fixed

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.1.0-beta1

v2.1.0-beta2

v2.1.0-beta3