[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Lua [in]security and the distributors
- From: Dirk Laurie <dirk.laurie@...>
- Date: Tue, 26 Aug 2014 20:23:25 +0200
2014-08-26 19:27 GMT+02:00 Jonas Thiem <jonasthiem@googlemail.com>:
> There wasn't even a quick release of an update to 5.2.2 where this bug
> was found originally, just 5.2.3 a few months later after this bug was
> made public (though a patch was available to everyone willing to patch
> themselves until 5.2.3 was finally released).
The official description of Lua's mission is:
> Lua is intended to be used as a powerful, lightweight, embeddable
> scripting language for any program that needs one.
It goes on to say:
> Being an extension language, Lua has no notion of a "main" program:
> it only works embedded in a host client, called the embedding program
> or simply the host.
and:
> The Lua distribution includes a sample host program called lua
I.e. the Lua interpreter we all love is no more than a sample; you
should be rolling your own.
Its license inter alia says this:
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY
> OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
> LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
I think using Lua in a security-sensitive environment goes beyond
what the designers claim it is good for. It's not that they are insensitive
to security issues, it's that they're not paranoid about them. But: the
only good security people are those considered to be paranoid by
everybody else.
In particular, Lua has a policy that there is one final release of the
outgoing release when a new release comes out. No further fixes,
even if there is a bug reported to be present already in Lua 3.1,
even if it offers a security exploit. That policy says there will never
be an official Lua 5.1.6.
I see only one solution. Someone who _is_ paranoid about security
should maintain a Secure Lua website, where for example
lua-5.1.5-secure.tar.gz would be available. When that site has built up
a reputation for excellence, ask lua.org to feature a link to it.