[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Lua [in]security and the distributors
- From: Enrico Tassi <gares@...>
- Date: Tue, 26 Aug 2014 16:37:19 +0200
On Tue, Aug 26, 2014 at 04:06:22PM +0200, Jonas Thiem wrote:
> the Lua crash exploit published since April 2013 is unfixed in:
>
> * Debian stable
Without a CVE I can hardly convince Debian security people that the fix
is worth it (I'm not fully convinced myself).
I would like to fix Lua 5.1 (for the next stable release), but
unfortunately the patch on the website is for 5.2.2 only. I'm attaching
a tentative one for 5.1. I'm not very familiar with the source code, so
help is welcome. In particular, the attached patch changes the argument
to luaD_checkstack also in the non-vararg case while the bug seems to be
related to vararg functions only.
> .. or in other words, every distribution I checked so far. On the IRC
> channel people told me that Lua use for sandboxing is very common, so
> this seems to be a notable problem.
Which channel? Using a dynamic language for (real) sandboxing seems a
good recipe for a disaster, and as far as I recall Lua has not been
designed for sandboxing.
> Or maybe the conclusion is just that distributions don't give a sh**
This makes me wonder if you are serious or just trolling. A patch that
fixes the Debian package would be way more effective that 100 emails
full of asterisks.
Best,
--
Enrico Tassi