Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520480 (CVE-2014-5461) - <dev-lang/lua-{5.1.5-r4,5.2.3}: overflow flaw in vararg functions
Summary: <dev-lang/lua-{5.1.5-r4,5.2.3}: overflow flaw in vararg functions
Status: RESOLVED FIXED
Alias: CVE-2014-5461
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
: 606902 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-08-22 08:53 UTC by Agostino Sarubbo
Modified: 2017-01-24 03:07 UTC (History)
5 users (show)

See Also:
Package list:
=dev-lang/lua-5.1.5-r4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-22 08:53:36 UTC
From ${URL} :

An overflow flaw was fixed in Lua 5.2.2:

http://www.lua.org/bugs.html#5.2.2-1

This could cause the application to crash or, potentially, execute arbitrary code. One way an attacker could trigger this issue is if 
they can control parameters to a loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).
Although Fedora 20 has 5.2.2, the issue is not resolved there.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2014-09-09 19:15:35 UTC
Original request if ready for stabilization on 8/22. 5.23 is in tree but masked. Please advise what is the status for stabilization, even if the status is not ready, and the reasons (or bugs) that are blocking this.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-10-05 13:04:44 UTC
Ping on question on stabilization, please advise. Otherwise will call for stabilization on around October 11, 2014.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-24 23:49:48 UTC
http://www.lua.org/bugs.html#5.2.2-1:

reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.

CC'ing new maintainer.


@ Maintainer(s): The call for stabilization timed out 2y ago... due to changed maintainer, please advise us how to proceed. >=dev-lang/lua-5.2.3 has to go stable and previous versions needs to get cleaned up.
Comment 4 Thomas Deutschmann gentoo-dev Security 2016-11-28 18:44:59 UTC
Note: I ping'ed William via IRC. He needs to talk to Rafael first. If we don't get an update from maintainers until 2016-12-30 security will consider next steps.
Comment 5 Rafael Martins gentoo-dev 2016-11-28 19:14:47 UTC
Should be fixed in -r4
Comment 6 Thomas Deutschmann gentoo-dev Security 2016-11-28 19:19:53 UTC
OK, maintainer decided to patch existing 5.1.5 version (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=856bde253c4184b33adc1f0267e80464d564763b), thanks!


@ Arches,

please test and mark stable: =dev-lang/lua/lua-5.1.5-r4
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-29 10:41:17 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-29 10:43:40 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2016-11-30 19:31:21 UTC
arm stable
Comment 10 Tobias Klausmann gentoo-dev 2016-12-02 14:21:34 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-11 10:37:08 UTC
sparc stable
Comment 12 Jeroen Roovers gentoo-dev 2017-01-14 12:36:16 UTC
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-15 15:51:02 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2017-01-17 14:25:26 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-01-18 10:03:30 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-19 10:49:21 UTC
GLSA request filed.

Another LWN article... "Gentoo patches ancient bug."
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-23 03:32:23 UTC
This issue was resolved and addressed in
 GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53
by GLSA coordinator Aaron Bauman (b-man).

@maintainer(s), please cleanup.
Comment 18 Rafael Martins gentoo-dev 2017-01-23 03:40:08 UTC
(In reply to Aaron Bauman from comment #17)
> This issue was resolved and addressed in
>  GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53
> by GLSA coordinator Aaron Bauman (b-man).
> 
> @maintainer(s), please cleanup.

cleaned up. thanks
Comment 19 Gleb 2017-01-23 06:00:32 UTC
I can see that there's no stable dev-lang/lua for amd64 and x84 arches in the tree, what's wrong?
Comment 20 Rafael Martins gentoo-dev 2017-01-23 09:57:21 UTC
(In reply to Gleb from comment #19)
> I can see that there's no stable dev-lang/lua for amd64 and x84 arches in
> the tree, what's wrong?

yes, for some reason those keywords disappeared from -r4 before I cleaned up the old ebuilds, and repoman failed to warn me. mgorny fixed it while I was away.

thanks
Comment 21 Jeroen Roovers gentoo-dev 2017-01-23 11:35:17 UTC
*** Bug 606902 has been marked as a duplicate of this bug. ***