Re: patch for CVE-2020-15888

[aman agrawal <aman.161089@...>]

Hello Sam,

Thanks for your email. Yes, I'm also not able to reproduce the issue in 5.1.5.

Reg CVE-2020-15888, in https://www.cybersecurity-help.cz/vulnerabilities/47700/, it is mentioned that this CVE is present in version less than 5.4.0.

On Wed, Jul 28, 2021 at 5:40 PM Sam Trenholme <lua@samiam.org> wrote:

I am unable to crash Lua 5.1 with this code:

function errfunc(p16, p17, p18, p19, p20, p21, p22, p23, p24, p25, p26, p27,
                p28, p29, p30, p31, p32, p33, p34, p35, p36, p37, p38, p39,
                p40, p41, p42, p43, p44, p45, p46, p48, p49, p50, p51, p52, p53, p54, p55, p56, p57, p58, p59, p60, ...) a9
                'fail'
        end
        coroutine.wrap(function() xpcall(test,
                function() do setmetatable({},
                        { __gc = function() if k < 2 then end end })
                end
        end
        )
        xpcall(test, errfunc) end)()

In addition, a CVE search against Lua 5.1 in the NVD database only lists three CVEs:

• CVE-2014-5461 (I can not reproduce the crash using the known exploit test, but there’s a patch readily available so I’m patching anyway)
  
• CVE-2020-15888 According to https://ubuntu.com/security/CVE-2020-15888 this does not affect any versions of Lua before 5.4
• CVE-2020-15945 According to https://ubuntu.com/security/CVE-2020-15945 this does not affect any versions of Lua before 5.4

More information: https://github.com/samboy/lunacy/blob/master/CVE.md

If I do not believe there are any other security issues which affect Lua 5.1. If this assessment is in error, please provide CVE numbers. I’ve been dealing with CVE numbers and supposed security reports for a long time; a common bit of “troll bait” it to make make claims of hideous security problems without providing any concrete details. That in mind, I look at any claims of security issues with a large grain of salt.

In my experience with the NVD, there are a lot of errors in these CVE databases; some of the CVE entries for MaraDNS incorrectly describe (and exaggerate) the actual security issues MaraDNS has had, so I know the CVE databases can have some pretty bad errors in them.

The reason why I’m paying very close attention to Lua 5.1 security issues is because MaraDNS now includes a server which uses Lua 5.1 for configuration, so any Lua 5.1 security hole is a MaraDNS security hole.

— Sam

On 7/27/2021 11:04 PM, aman agrawal wrote:

I'm getting a crash in running the following code (some modification of http://lua-users.org/lists/lua-l/2020-07/msg00054.html) in Lua-5.2.2

--

Best Regards
Aman Agrawal