Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.
{ "vanir_signatures": [ { "id": "CVE-2019-6706-00032def", "target": { "function": "getupvalref", "file": "lapi.c" }, "signature_version": "v1", "digest": { "length": 408.0, "function_hash": "45231132265163223636532311818292060392" }, "signature_type": "Function", "source": "https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e", "deprecated": false }, { "id": "CVE-2019-6706-264b1e53", "target": { "function": "lua_upvalueid", "file": "lapi.c" }, "signature_version": "v1", "digest": { "length": 468.0, "function_hash": "168654682806415888564868502854858233475" }, "signature_type": "Function", "source": "https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e", "deprecated": false }, { "id": "CVE-2019-6706-ad2906b9", "target": { "function": "lua_upvaluejoin", "file": "lapi.c" }, "signature_version": "v1", "digest": { "length": 392.0, "function_hash": "336886739732523367635662810366732805781" }, "signature_type": "Function", "source": "https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e", "deprecated": false }, { "id": "CVE-2019-6706-e7916afb", "target": { "file": "lapi.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "114280754343182667492310544413047257523", "135797660772714151558304634952356559189", "324426448145863171687706490342891370242", "158464887736040735811625781411603539517", "109284068507191940525491597714252165763", "17353900652863108361291584574332551664", "73243341667893678318317837601477420919", "184943886777344493192408412618803260479", "92936929984927184471054474271540256660", "315317082330350668532734840438847734449", "232247388784538711332203219499193690964", "238016185841859018970600644226169544163", "212682399206584147756393191489144751679", "265234325060766264020411529438170302368", "316472907546906173177633520659052112636", "211225411100249201500195271735977703457", "105626001136622936431389132883094094572", "215722041084154120534485317323045511353", "69590894200313878133321429160581940638", "104367335793266688094676634691058216743" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e", "deprecated": false } ] }