lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

On Tue, Aug 26, 2014 at 4:37 PM, Enrico Tassi <gares@fettunta.org> wrote:
> On Tue, Aug 26, 2014 at 04:06:22PM +0200, Jonas Thiem wrote:
>> the Lua crash exploit published since April 2013 is unfixed in:
>>
>> * Debian stable
>
> Without a CVE I can hardly convince Debian security people that the fix
> is worth it (I'm not fully convinced myself).

Red Hat has asked for CVE classification:
http://www.openwall.com/lists/oss-security/2014/08/21/2

> Which channel?  Using a dynamic language for (real) sandboxing seems a
> good recipe for a disaster, and as far as I recall Lua has not been
> designed for sandboxing.

#lua on freenode

> This makes me wonder if you are serious or just trolling.  A patch that
> fixes the Debian package would be way more effective that 100 emails
> full of asterisks.

I already mailed Red Hat, helped them out with lots of details on the
bug tracker, and I emailed Ubuntu with no response for days, and I
wrote this email here, and I wrote another email which brought up how
hidden the lua.org/bugs.html page can be to downloading people with
extensive discussion responses.

And your response to this is I am not serious and trolling? Yea, thanks.

What about you HELP me emailing everyone instead of accusing me of
being a troll? At least *I* have already checked distributions and
mailed some of them, have you? (And I brought it up here after all)
Sorry that I haven't emailed the whole world myself yet.

>
> Best,
> --
> Enrico Tassi
>