Summary: | dev-lang/lua: Multiple vulnerabilities (CVE-2019-6706, CVE-2020-{15945,15888,15889,24342,24369,24370,24371}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | ajak, robbat2, williamh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [upstream/ebuild cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 925290 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2020-04-17 01:37:17 UTC
ping CVE-2020-15889: Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free. CVE-2020-15888: Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members. * CVE-2020-15945 "Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function." http://lua-users.org/lists/lua-l/2020-07/msg00123.html https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3 (In reply to John Helmert III (ajak) from comment #2) > CVE-2020-15889: > > Lua through 5.4.0 mishandles the interaction between stack resizes and > garbage collection, leading to a heap-based buffer overflow, heap-based > buffer over-read, or use-after-free. Patch: https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312 > CVE-2020-15888: > > Lua through 5.4.0 has a getobjname heap-based buffer over-read because > youngcollection in lgc.c uses markold for an insufficient number of list > members. Patches: https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7 https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5 CVE-2020-24342: Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row. Patch: https://github.com/lua/lua/commit/34affe7a63fc5d842580a9f23616d057e17dfe27 CVE-2020-24369: ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference. Patch: https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a CVE-2020-24370: ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31). Patch: https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b CVE-2020-24371: lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage. Patch: https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110 ping sam: 1. Lua 5.4 is not yet packaged in Gentoo, CVEs that affect only 5.4 (and not older series) don't impact us. 2. Upstream does not make further point releases in old series, making this harder to roll quickly Since 5.4.0 does not exist in tree anymore, does this still apply to 5.4.2? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc1f784b5c91f2e0be1aa06b155cff958ba22a0 commit 1bc1f784b5c91f2e0be1aa06b155cff958ba22a0 Author: David Seifert <soap@gentoo.org> AuthorDate: 2022-10-13 13:19:37 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2022-10-13 13:19:37 +0000 dev-lang/lua: drop 5.1.5-r109, 5.3.6-r5, 5.4.4-r2 Bug: https://bugs.gentoo.org/520480 Bug: https://bugs.gentoo.org/717780 Closes: https://bugs.gentoo.org/460114 Closes: https://bugs.gentoo.org/462064 Closes: https://bugs.gentoo.org/539826 Closes: https://bugs.gentoo.org/627330 Closes: https://bugs.gentoo.org/689598 Closes: https://bugs.gentoo.org/706378 Closes: https://bugs.gentoo.org/791772 Closes: https://bugs.gentoo.org/834153 Closes: https://bugs.gentoo.org/834911 Closes: https://bugs.gentoo.org/843320 Signed-off-by: David Seifert <soap@gentoo.org> dev-lang/lua/Manifest | 5 - dev-lang/lua/files/configure.in | 5 - dev-lang/lua/files/lua-5.1-module_paths.patch | 30 ----- dev-lang/lua/files/lua-5.1-readline.patch | 10 -- dev-lang/lua/files/lua-5.1.4-deprecated.patch | 46 ------- dev-lang/lua/files/lua-5.1.5-make.patch | 97 ------------- dev-lang/lua/files/lua-5.3.6-make.patch | 91 ------------- dev-lang/lua/files/lua-5.4.2-r2-make.patch | 99 -------------- dev-lang/lua/files/lua.pc | 31 ----- dev-lang/lua/lua-5.1.5-r109.ebuild | 145 -------------------- dev-lang/lua/lua-5.3.6-r5.ebuild | 187 -------------------------- dev-lang/lua/lua-5.4.4-r2.ebuild | 184 ------------------------- dev-lang/lua/metadata.xml | 23 ++-- 13 files changed, 11 insertions(+), 942 deletions(-) (In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2019-6706 (https://nvd.nist.gov/vuln/detail/CVE-2019-6706): > Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a > crash outcome might be achieved by an attacker who is able to trigger a > debug.upvaluejoin call in which the arguments have certain relationships. > > > ---- > Ubuntu have applied this patch: > https://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0.18.10. > 1.diff.gz (viewable in browser) https://raw.githubusercontent.com/Lua-Project/cve-analysis/main/CVE-2019-6706.pdf says that this is fixed by: https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e With the original bug report being: http://lua-users.org/lists/lua-l/2019-01/msg00039.html CVE-2020-15945, CVE-2020-15889, CVE-2020-15888, CVE-2020-24342, CVE-2020-24369, CVE-2020-24371 all fixed in 5.4.1 and seemingly not further. CVE-2020-24370 is patched in 5.3.6 and 5.4.1. Not sure if any of these affected previous branches. |