Lua [in]security and the distributors

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Lua [in]security and the distributors
From: Jonas Thiem <jonasthiem@...>
Date: Tue, 26 Aug 2014 16:06:22 +0200

Hi *,

the Lua crash exploit published since April 2013 is unfixed in:

* Debian stable
* Fedora
* OpenSuse
* Ubuntu 12 LTS (still supported)

.. or in other words, every distribution I checked so far. On the IRC
channel people told me that Lua use for sandboxing is very common, so
this seems to be a notable problem.

So, another crazy idea: what about you make front page announcements
for discovered exploits? A bit like the big red boxes libpng uses:
http://www.libpng.org/pub/png/libpng.html

Or maybe the conclusion is just that distributions don't give a sh**
about a secure Lua. Which raises another question: maybe Lua should
release an up-to-date tarball after each discovered bug to make it
easier for people to compile a secure, up-to-date Lua themselves? Last
time I got the response "don't worry about that" which kind of
suggested to let distributors take care of an up-to-date Lua, but
apparently that's not happening.

I am just throwing ideas in the room, maybe none of them are worth
pursueing - but I guess this situation is worth talking about.

Regards,
Jonas Thiem

Follow-Ups:
- Re: Lua [in]security and the distributors, Enrico Tassi

Prev by Date: Re: rename lua_State
Next by Date: Re: Lua [in]security and the distributors
Previous by thread: Improved ipairs for Lua 5.2/5.3
Next by thread: Re: Lua [in]security and the distributors
Index(es):
- Date
- Thread