lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Tue, Aug 26, 2014 at 04:06:22PM +0200, Jonas Thiem wrote:
> the Lua crash exploit published since April 2013 is unfixed in:
> 
> * Debian stable

Without a CVE I can hardly convince Debian security people that the fix
is worth it (I'm not fully convinced myself).

I would like to fix Lua 5.1 (for the next stable release), but
unfortunately the patch on the website is for 5.2.2 only.  I'm attaching
a tentative one for 5.1.  I'm not very familiar with the source code, so
help is welcome.  In particular, the attached patch changes the argument
to luaD_checkstack also in the non-vararg case while the bug seems to be
related to vararg functions only.

> .. or in other words, every distribution I checked so far. On the IRC
> channel people told me that Lua use for sandboxing is very common, so
> this seems to be a notable problem.

Which channel?  Using a dynamic language for (real) sandboxing seems a
good recipe for a disaster, and as far as I recall Lua has not been
designed for sandboxing.

> Or maybe the conclusion is just that distributions don't give a sh**

This makes me wonder if you are serious or just trolling.  A patch that
fixes the Debian package would be way more effective that 100 emails
full of asterisks.

Best,
-- 
Enrico Tassi