lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Hi *,

the Lua crash exploit published since April 2013 is unfixed in:

* Debian stable
* Fedora
* OpenSuse
* Ubuntu 12 LTS (still supported)

.. or in other words, every distribution I checked so far. On the IRC
channel people told me that Lua use for sandboxing is very common, so
this seems to be a notable problem.

So, another crazy idea: what about you make front page announcements
for discovered exploits? A bit like the big red boxes libpng uses:
http://www.libpng.org/pub/png/libpng.html

Or maybe the conclusion is just that distributions don't give a sh**
about a secure Lua. Which raises another question: maybe Lua should
release an up-to-date tarball after each discovered bug to make it
easier for people to compile a secure, up-to-date Lua themselves? Last
time I got the response "don't worry about that" which kind of
suggested to let distributors take care of an up-to-date Lua, but
apparently that's not happening.

I am just throwing ideas in the room, maybe none of them are worth
pursueing - but I guess this situation is worth talking about.

Regards,
Jonas Thiem