CVE-2022-33099: 
NixOS vulnerability analysis and mitigation

CVE-2022-33099 affects Lua version 5.4.4 and below, specifically in the luaG_runerror component. The vulnerability was discovered in May 2022 and involves a heap-buffer overflow condition that occurs when a recursive error takes place (NVD, Ubuntu).

The vulnerability exists in the error handling mechanism of Lua, specifically in the luaGerrormsg() component which uses slots from EXTRASTACK. When recursive errors occur, such as string overflow while creating an error message in 'luaG_runerror', or a C-stack overflow before calling the message handler, the code fails to use stack slots with parsimony, leading to a heap-buffer overflow (Lua Bugs, GitHub Commit). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability primarily affects the availability of systems running the affected versions of Lua. When exploited, it can lead to a heap-buffer overflow condition, which could potentially cause program crashes or denial of service (NVD).

A fix has been implemented and is available in newer versions of Lua. The patch involves modifying the code to save stack space while handling errors, ensuring proper management of stack slots during error handling (GitHub Commit). For Fedora users, fixed packages were released for both Fedora 35 and 36 (Fedora Update).