Re: Lua marked as insecure by Secunia

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Lua marked as insecure by Secunia
From: Coda Highland <chighland@...>
Date: Wed, 10 Sep 2014 17:52:53 -0700

On Wed, Sep 10, 2014 at 5:46 PM, Rena <hyperhacker@gmail.com> wrote:
> On Wed, Sep 10, 2014 at 8:40 PM, Tim Channon <tc@gpsl.net> wrote:
>> Secunia, one of the major security companies are flagging Lua 5.1.5 as
>> insecure.
>>
>> "Lua "luaD_precall()" Denial of Service Security Issue"
>>
>> An annoyance more than a security leak.
>>
>> http://secunia.com/advisories/product/35758/?task=advisories_2014
>>
>
> Too bad you need to log in to see any information.

Release Date: 2014-09-04

Criticality level : Less critical
Impact : DoS
Where : From remote
Solution Status: Vendor Patch

Software: Lua 5.x

Description:
A security issue has been reported in Lua, which can be exploited by
malicious people to cause a DoS (Denial of Service).

The security issue is caused due to a boundary error in the
"luaD_precall()" function (src/ldo.c) when handling arguments of
variable size and can be exploited to cause a crash.

The security issue is reported in versions 5.1 through 5.2.2.

Solution:
Update to version 5.2.3.

Provided and/or discovered by:
Cloudwu

Original Advisory:
Lua:
http://www.lua.org/bugs.html#5.2.2-1

Cloudwu:
http://lua-users.org/lists/lua-l/2013-04/msg00503.html

http://secunia.com/advisories/60519/

References:
- Lua marked as insecure by Secunia, Tim Channon
- Re: Lua marked as insecure by Secunia, Rena

Prev by Date: Re: Lua marked as insecure by Secunia
Next by Date: Re: Lua marked as insecure by Secunia
Previous by thread: Re: Lua marked as insecure by Secunia
Next by thread: Re: Lua marked as insecure by Secunia
Index(es):
- Date
- Thread