Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717780 (CVE-2019-6706, CVE-2020-15888, CVE-2020-15889, CVE-2020-15945, CVE-2020-24342, CVE-2020-24369, CVE-2020-24370, CVE-2020-24371)

Summary: dev-lang/lua: Multiple vulnerabilities (CVE-2019-6706, CVE-2020-{15945,15888,15889,24342,24369,24370,24371})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, robbat2, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [upstream/ebuild cve]
Package list:
Runtime testing required: ---
Bug Depends on: 925290    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 01:37:17 UTC
CVE-2019-6706 (https://nvd.nist.gov/vuln/detail/CVE-2019-6706):
  Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a
  crash outcome might be achieved by an attacker who is able to trigger a
  debug.upvaluejoin call in which the arguments have certain relationships.


----
Ubuntu have applied this patch: https://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0.18.10.1.diff.gz (viewable in browser)
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-13 17:01:48 UTC
ping
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-22 00:53:19 UTC
CVE-2020-15889:

Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.

CVE-2020-15888:

Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-25 02:44:06 UTC
* CVE-2020-15945

"Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function."

http://lua-users.org/lists/lua-l/2020-07/msg00123.html
https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-13 23:31:12 UTC
(In reply to John Helmert III (ajak) from comment #2)
> CVE-2020-15889:
> 
> Lua through 5.4.0 mishandles the interaction between stack resizes and
> garbage collection, leading to a heap-based buffer overflow, heap-based
> buffer over-read, or use-after-free.

Patch: https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312

> CVE-2020-15888:
> 
> Lua through 5.4.0 has a getobjname heap-based buffer over-read because
> youngcollection in lgc.c uses markold for an insufficient number of list
> members.

Patches: https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7
https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5


CVE-2020-24342:

Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.

Patch: https://github.com/lua/lua/commit/34affe7a63fc5d842580a9f23616d057e17dfe27
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-18 16:00:04 UTC
CVE-2020-24369:

ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.

Patch: https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a

CVE-2020-24370:

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).

Patch: https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b

CVE-2020-24371:

lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.

Patch: https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 10:57:49 UTC
ping
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 15:49:29 UTC
sam:
1. Lua 5.4 is not yet packaged in Gentoo, CVEs that affect only 5.4 (and not older series) don't impact us.
2. Upstream does not make further point releases in old series, making this harder to roll quickly
Comment 8 Conrad Kostecki gentoo-dev 2021-01-24 10:59:30 UTC
Since 5.4.0 does not exist in tree anymore, does this still apply to 5.4.2?
Comment 9 Larry the Git Cow gentoo-dev 2022-10-13 13:20:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc1f784b5c91f2e0be1aa06b155cff958ba22a0

commit 1bc1f784b5c91f2e0be1aa06b155cff958ba22a0
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2022-10-13 13:19:37 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2022-10-13 13:19:37 +0000

    dev-lang/lua: drop 5.1.5-r109, 5.3.6-r5, 5.4.4-r2
    
    Bug: https://bugs.gentoo.org/520480
    Bug: https://bugs.gentoo.org/717780
    Closes: https://bugs.gentoo.org/460114
    Closes: https://bugs.gentoo.org/462064
    Closes: https://bugs.gentoo.org/539826
    Closes: https://bugs.gentoo.org/627330
    Closes: https://bugs.gentoo.org/689598
    Closes: https://bugs.gentoo.org/706378
    Closes: https://bugs.gentoo.org/791772
    Closes: https://bugs.gentoo.org/834153
    Closes: https://bugs.gentoo.org/834911
    Closes: https://bugs.gentoo.org/843320
    Signed-off-by: David Seifert <soap@gentoo.org>

 dev-lang/lua/Manifest                         |   5 -
 dev-lang/lua/files/configure.in               |   5 -
 dev-lang/lua/files/lua-5.1-module_paths.patch |  30 -----
 dev-lang/lua/files/lua-5.1-readline.patch     |  10 --
 dev-lang/lua/files/lua-5.1.4-deprecated.patch |  46 -------
 dev-lang/lua/files/lua-5.1.5-make.patch       |  97 -------------
 dev-lang/lua/files/lua-5.3.6-make.patch       |  91 -------------
 dev-lang/lua/files/lua-5.4.2-r2-make.patch    |  99 --------------
 dev-lang/lua/files/lua.pc                     |  31 -----
 dev-lang/lua/lua-5.1.5-r109.ebuild            | 145 --------------------
 dev-lang/lua/lua-5.3.6-r5.ebuild              | 187 --------------------------
 dev-lang/lua/lua-5.4.4-r2.ebuild              | 184 -------------------------
 dev-lang/lua/metadata.xml                     |  23 ++--
 13 files changed, 11 insertions(+), 942 deletions(-)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 02:12:00 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2019-6706 (https://nvd.nist.gov/vuln/detail/CVE-2019-6706):
>   Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a
>   crash outcome might be achieved by an attacker who is able to trigger a
>   debug.upvaluejoin call in which the arguments have certain relationships.
> 
> 
> ----
> Ubuntu have applied this patch:
> https://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0.18.10.
> 1.diff.gz (viewable in browser)

https://raw.githubusercontent.com/Lua-Project/cve-analysis/main/CVE-2019-6706.pdf says that this is fixed by:

https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e

With the original bug report being:

http://lua-users.org/lists/lua-l/2019-01/msg00039.html
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 02:29:07 UTC
CVE-2020-15945, CVE-2020-15889, CVE-2020-15888, CVE-2020-24342, CVE-2020-24369, CVE-2020-24371 all fixed in 5.4.1 and seemingly not further.

CVE-2020-24370 is patched in 5.3.6 and 5.4.1.

Not sure if any of these affected previous branches.