From ${URL} : An overflow flaw was fixed in Lua 5.2.2: http://www.lua.org/bugs.html#5.2.2-1 This could cause the application to crash or, potentially, execute arbitrary code. One way an attacker could trigger this issue is if they can control parameters to a loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua). Although Fedora 20 has 5.2.2, the issue is not resolved there. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Original request if ready for stabilization on 8/22. 5.23 is in tree but masked. Please advise what is the status for stabilization, even if the status is not ready, and the reasons (or bugs) that are blocking this.
Ping on question on stabilization, please advise. Otherwise will call for stabilization on around October 11, 2014.
http://www.lua.org/bugs.html#5.2.2-1: reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3. CC'ing new maintainer. @ Maintainer(s): The call for stabilization timed out 2y ago... due to changed maintainer, please advise us how to proceed. >=dev-lang/lua-5.2.3 has to go stable and previous versions needs to get cleaned up.
Note: I ping'ed William via IRC. He needs to talk to Rafael first. If we don't get an update from maintainers until 2016-12-30 security will consider next steps.
Should be fixed in -r4
OK, maintainer decided to patch existing 5.1.5 version (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=856bde253c4184b33adc1f0267e80464d564763b), thanks! @ Arches, please test and mark stable: =dev-lang/lua/lua-5.1.5-r4
amd64 stable
x86 stable
arm stable
Stable on alpha.
sparc stable
Stable for HPPA.
ppc stable
ia64 stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
GLSA request filed. Another LWN article... "Gentoo patches ancient bug."
This issue was resolved and addressed in GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53 by GLSA coordinator Aaron Bauman (b-man). @maintainer(s), please cleanup.
(In reply to Aaron Bauman from comment #17) > This issue was resolved and addressed in > GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53 > by GLSA coordinator Aaron Bauman (b-man). > > @maintainer(s), please cleanup. cleaned up. thanks
I can see that there's no stable dev-lang/lua for amd64 and x84 arches in the tree, what's wrong?
(In reply to Gleb from comment #19) > I can see that there's no stable dev-lang/lua for amd64 and x84 arches in > the tree, what's wrong? yes, for some reason those keywords disappeared from -r4 before I cleaned up the old ebuilds, and repoman failed to warn me. mgorny fixed it while I was away. thanks
*** Bug 606902 has been marked as a duplicate of this bug. ***
The patch for this CVE was deleted together with 5.1.5-r4 in commit 94dbb827593747a05def4ea999d8d153e166795e. Moreover, it was never applied to more recent revisions. In my opinion, it should be re-activated for 5.1.5-r106 and kept for future revisions.
Unable to check for sanity: > no match for package: =dev-lang/lua-5.1.5-r4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc1f784b5c91f2e0be1aa06b155cff958ba22a0 commit 1bc1f784b5c91f2e0be1aa06b155cff958ba22a0 Author: David Seifert <soap@gentoo.org> AuthorDate: 2022-10-13 13:19:37 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2022-10-13 13:19:37 +0000 dev-lang/lua: drop 5.1.5-r109, 5.3.6-r5, 5.4.4-r2 Bug: https://bugs.gentoo.org/520480 Bug: https://bugs.gentoo.org/717780 Closes: https://bugs.gentoo.org/460114 Closes: https://bugs.gentoo.org/462064 Closes: https://bugs.gentoo.org/539826 Closes: https://bugs.gentoo.org/627330 Closes: https://bugs.gentoo.org/689598 Closes: https://bugs.gentoo.org/706378 Closes: https://bugs.gentoo.org/791772 Closes: https://bugs.gentoo.org/834153 Closes: https://bugs.gentoo.org/834911 Closes: https://bugs.gentoo.org/843320 Signed-off-by: David Seifert <soap@gentoo.org> dev-lang/lua/Manifest | 5 - dev-lang/lua/files/configure.in | 5 - dev-lang/lua/files/lua-5.1-module_paths.patch | 30 ----- dev-lang/lua/files/lua-5.1-readline.patch | 10 -- dev-lang/lua/files/lua-5.1.4-deprecated.patch | 46 ------- dev-lang/lua/files/lua-5.1.5-make.patch | 97 ------------- dev-lang/lua/files/lua-5.3.6-make.patch | 91 ------------- dev-lang/lua/files/lua-5.4.2-r2-make.patch | 99 -------------- dev-lang/lua/files/lua.pc | 31 ----- dev-lang/lua/lua-5.1.5-r109.ebuild | 145 -------------------- dev-lang/lua/lua-5.3.6-r5.ebuild | 187 -------------------------- dev-lang/lua/lua-5.4.4-r2.ebuild | 184 ------------------------- dev-lang/lua/metadata.xml | 23 ++-- 13 files changed, 11 insertions(+), 942 deletions(-)
Oh, 5.1.6-r2 was eventually renamed to 5.1.5-r200.
GLSA request filed
(In reply to John Helmert III from comment #25) > Oh, 5.1.6-r2 was eventually renamed to 5.1.5-r200. Yup, that was my mistake.
(In reply to David Seifert from comment #27) > (In reply to John Helmert III from comment #25) > > Oh, 5.1.6-r2 was eventually renamed to 5.1.5-r200. > > Yup, that was my mistake. No worries! Just noting that's why I'm waffling with summary
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9481b5e54d9a028a3f651d96ca46efd05ac1b3a6 commit 9481b5e54d9a028a3f651d96ca46efd05ac1b3a6 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 10:32:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 10:33:45 +0000 [ GLSA 202305-23 ] Lua: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/520480 Bug: https://bugs.gentoo.org/831053 Bug: https://bugs.gentoo.org/837521 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-23.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+)
