Security update for lua51-luajit SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02886-1 Final 1 1 2025-08-19T07:08:36Z current 2025-08-19T07:08:36Z 2025-08-19T07:08:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for lua51-luajit This update for lua51-luajit fixes the following issues: - CVE-2024-25176: Fixed stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c (bsc#1246077) - CVE-2024-25177: Fixed unsinking of IR_FSTORE for NULL metatable (bsc#1246078) - CVE-2024-25178: Fixed ut-of-bounds read in the stack-overflow handler in lj_state.c (bsc#1246079) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-2886,openSUSE-SLE-15.6-2025-2886 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502886-1/ Link for SUSE-SU-2025:02886-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041274.html E-Mail link for SUSE-SU-2025:02886-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1246077 SUSE Bug 1246077 https://bugzilla.suse.com/1246078 SUSE Bug 1246078 https://bugzilla.suse.com/1246079 SUSE Bug 1246079 https://www.suse.com/security/cve/CVE-2024-25176/ SUSE CVE CVE-2024-25176 page https://www.suse.com/security/cve/CVE-2024-25177/ SUSE CVE CVE-2024-25177 page https://www.suse.com/security/cve/CVE-2024-25178/ SUSE CVE CVE-2024-25178 page openSUSE Leap 15.6 libluajit-5_1-2-2.1.0~beta2-150000.3.3.1 libluajit-5_1-2-32bit-2.1.0~beta2-150000.3.3.1 libluajit-5_1-2-64bit-2.1.0~beta2-150000.3.3.1 lua51-luajit-2.1.0~beta2-150000.3.3.1 lua51-luajit-devel-2.1.0~beta2-150000.3.3.1 lua51-luajit-2.1.0~beta2-150000.3.3.1 as a component of openSUSE Leap 15.6 lua51-luajit-devel-2.1.0~beta2-150000.3.3.1 as a component of openSUSE Leap 15.6 LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c. CVE-2024-25176 openSUSE Leap 15.6:lua51-luajit-2.1.0~beta2-150000.3.3.1 openSUSE Leap 15.6:lua51-luajit-devel-2.1.0~beta2-150000.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502886-1/ https://www.suse.com/security/cve/CVE-2024-25176.html CVE-2024-25176 https://bugzilla.suse.com/1246077 SUSE Bug 1246077 LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS). CVE-2024-25177 openSUSE Leap 15.6:lua51-luajit-2.1.0~beta2-150000.3.3.1 openSUSE Leap 15.6:lua51-luajit-devel-2.1.0~beta2-150000.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502886-1/ https://www.suse.com/security/cve/CVE-2024-25177.html CVE-2024-25177 https://bugzilla.suse.com/1246078 SUSE Bug 1246078 LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an out-of-bounds read in the stack-overflow handler in lj_state.c. CVE-2024-25178 openSUSE Leap 15.6:lua51-luajit-2.1.0~beta2-150000.3.3.1 openSUSE Leap 15.6:lua51-luajit-devel-2.1.0~beta2-150000.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502886-1/ https://www.suse.com/security/cve/CVE-2024-25178.html CVE-2024-25178 https://bugzilla.suse.com/1246079 SUSE Bug 1246079