Updated luajit packages fix security vulnerabilities
Publication date: 18 Jun 2026Modification date: 18 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2019-19391 , CVE-2020-24372 , CVE-2024-25176 , CVE-2024-25177 , CVE-2024-25178
Description
In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other
products, debug.getinfo has a type confusion issue that leads to
arbitrary memory write or read operations, because certain cases
involving valid stack levels and > options are mishandled.
(CVE-2019-19391)
LuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_run in
lj_err.c. (CVE-2020-24372)
LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a
stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c.
(CVE-2024-25176)
LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an
unsinking of IR_FSTORE for NULL metatable, which leads to Denial of
Service (DoS). (CVE-2024-25177)
LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an
out-of-bounds read in the stack-overflow handler in lj_state.c.
(CVE-2024-25178)
References
- https://bugs.mageia.org/show_bug.cgi?id=34491
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XU3NWLH45W4F7OBKEB4XEOJQI4S36PU5/
- https://lists.debian.org/debian-lts-announce/2025/08/msg00022.html
- https://www.cve.org/CVERecord?id=CVE-2019-19391
- https://www.cve.org/CVERecord?id=CVE-2020-24372
- https://www.cve.org/CVERecord?id=CVE-2024-25176
- https://www.cve.org/CVERecord?id=CVE-2024-25177
- https://www.cve.org/CVERecord?id=CVE-2024-25178
SRPMS
9/core
- luajit-2.1.0-0.beta3.10.1.mga9