lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hello Sam,

Thanks for your email. Yes, I'm also not able to reproduce the issue in 5.1.5.

Reg CVE-2020-15888, in, it is mentioned that this CVE is present in version less than 5.4.0.

On Wed, Jul 28, 2021 at 5:40 PM Sam Trenholme <> wrote:

I am unable to crash Lua 5.1 with this code:

function errfunc(p16, p17, p18, p19, p20, p21, p22, p23, p24, p25, p26, p27,
                p28, p29, p30, p31, p32, p33, p34, p35, p36, p37, p38, p39,
                p40, p41, p42, p43, p44, p45, p46, p48, p49, p50, p51, p52, p53, p54, p55, p56, p57, p58, p59, p60, ...) a9
        coroutine.wrap(function() xpcall(test,
                function() do setmetatable({},
                        { __gc = function() if k < 2 then end end })
        xpcall(test, errfunc) end)()

In addition, a CVE search against Lua 5.1 in the NVD database only lists three CVEs:

More information:

If I do not believe there are any other security issues which affect Lua 5.1. If this assessment is in error, please provide CVE numbers. I’ve been dealing with CVE numbers and supposed security reports for a long time; a common bit of “troll bait” it to make make claims of hideous security problems without providing any concrete details. That in mind, I look at any claims of security issues with a large grain of salt.

In my experience with the NVD, there are a lot of errors in these CVE databases; some of the CVE entries for MaraDNS incorrectly describe (and exaggerate) the actual security issues MaraDNS has had, so I know the CVE databases can have some pretty bad errors in them.

The reason why I’m paying very close attention to Lua 5.1 security issues is because MaraDNS now includes a server which uses Lua 5.1 for configuration, so any Lua 5.1 security hole is a MaraDNS security hole.

— Sam

On 7/27/2021 11:04 PM, aman agrawal wrote:
I'm getting a crash in running the following code (some modification of in Lua-5.2.2

Best Regards
Aman Agrawal