Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520480 (CVE-2014-5461) - <dev-lang/lua-{5.1.5-r200,5.2.3}: overflow flaw in vararg functions
Summary: <dev-lang/lua-{5.1.5-r200,5.2.3}: overflow flaw in vararg functions
Status: IN_PROGRESS
Alias: CVE-2014-5461
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
: 606902 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-08-22 08:53 UTC by Agostino Sarubbo
Modified: 2022-10-14 16:37 UTC (History)
6 users (show)

See Also:
Package list:
=dev-lang/lua-5.1.5-r4
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-22 08:53:36 UTC
From ${URL} :

An overflow flaw was fixed in Lua 5.2.2:

http://www.lua.org/bugs.html#5.2.2-1

This could cause the application to crash or, potentially, execute arbitrary code. One way an attacker could trigger this issue is if 
they can control parameters to a loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).
Although Fedora 20 has 5.2.2, the issue is not resolved there.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-09-09 19:15:35 UTC
Original request if ready for stabilization on 8/22. 5.23 is in tree but masked. Please advise what is the status for stabilization, even if the status is not ready, and the reasons (or bugs) that are blocking this.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 13:04:44 UTC
Ping on question on stabilization, please advise. Otherwise will call for stabilization on around October 11, 2014.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-24 23:49:48 UTC
http://www.lua.org/bugs.html#5.2.2-1:

reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.

CC'ing new maintainer.


@ Maintainer(s): The call for stabilization timed out 2y ago... due to changed maintainer, please advise us how to proceed. >=dev-lang/lua-5.2.3 has to go stable and previous versions needs to get cleaned up.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-28 18:44:59 UTC
Note: I ping'ed William via IRC. He needs to talk to Rafael first. If we don't get an update from maintainers until 2016-12-30 security will consider next steps.
Comment 5 Rafael Martins (RETIRED) gentoo-dev 2016-11-28 19:14:47 UTC
Should be fixed in -r4
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-28 19:19:53 UTC
OK, maintainer decided to patch existing 5.1.5 version (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=856bde253c4184b33adc1f0267e80464d564763b), thanks!


@ Arches,

please test and mark stable: =dev-lang/lua/lua-5.1.5-r4
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-29 10:41:17 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-29 10:43:40 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2016-11-30 19:31:21 UTC
arm stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-02 14:21:34 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-11 10:37:08 UTC
sparc stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 12:36:16 UTC
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-15 15:51:02 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2017-01-17 14:25:26 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-01-18 10:03:30 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-01-19 10:49:21 UTC
GLSA request filed.

Another LWN article... "Gentoo patches ancient bug."
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2017-01-23 03:32:23 UTC
This issue was resolved and addressed in
 GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53
by GLSA coordinator Aaron Bauman (b-man).

@maintainer(s), please cleanup.
Comment 18 Rafael Martins (RETIRED) gentoo-dev 2017-01-23 03:40:08 UTC
(In reply to Aaron Bauman from comment #17)
> This issue was resolved and addressed in
>  GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53
> by GLSA coordinator Aaron Bauman (b-man).
> 
> @maintainer(s), please cleanup.

cleaned up. thanks
Comment 19 Gleb 2017-01-23 06:00:32 UTC
I can see that there's no stable dev-lang/lua for amd64 and x84 arches in the tree, what's wrong?
Comment 20 Rafael Martins (RETIRED) gentoo-dev 2017-01-23 09:57:21 UTC
(In reply to Gleb from comment #19)
> I can see that there's no stable dev-lang/lua for amd64 and x84 arches in
> the tree, what's wrong?

yes, for some reason those keywords disappeared from -r4 before I cleaned up the old ebuilds, and repoman failed to warn me. mgorny fixed it while I was away.

thanks
Comment 21 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-23 11:35:17 UTC
*** Bug 606902 has been marked as a duplicate of this bug. ***
Comment 22 Account Removed 2021-11-29 11:01:35 UTC
The patch for this CVE was deleted together with 5.1.5-r4 in commit 94dbb827593747a05def4ea999d8d153e166795e. Moreover, it was never applied to more recent revisions. In my opinion, it should be re-activated for 5.1.5-r106 and kept for future revisions.
Comment 23 NATTkA bot gentoo-dev 2021-11-29 16:37:02 UTC
Unable to check for sanity:

> no match for package: =dev-lang/lua-5.1.5-r4
Comment 24 Larry the Git Cow gentoo-dev 2022-10-13 13:20:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc1f784b5c91f2e0be1aa06b155cff958ba22a0

commit 1bc1f784b5c91f2e0be1aa06b155cff958ba22a0
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2022-10-13 13:19:37 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2022-10-13 13:19:37 +0000

    dev-lang/lua: drop 5.1.5-r109, 5.3.6-r5, 5.4.4-r2
    
    Bug: https://bugs.gentoo.org/520480
    Bug: https://bugs.gentoo.org/717780
    Closes: https://bugs.gentoo.org/460114
    Closes: https://bugs.gentoo.org/462064
    Closes: https://bugs.gentoo.org/539826
    Closes: https://bugs.gentoo.org/627330
    Closes: https://bugs.gentoo.org/689598
    Closes: https://bugs.gentoo.org/706378
    Closes: https://bugs.gentoo.org/791772
    Closes: https://bugs.gentoo.org/834153
    Closes: https://bugs.gentoo.org/834911
    Closes: https://bugs.gentoo.org/843320
    Signed-off-by: David Seifert <soap@gentoo.org>

 dev-lang/lua/Manifest                         |   5 -
 dev-lang/lua/files/configure.in               |   5 -
 dev-lang/lua/files/lua-5.1-module_paths.patch |  30 -----
 dev-lang/lua/files/lua-5.1-readline.patch     |  10 --
 dev-lang/lua/files/lua-5.1.4-deprecated.patch |  46 -------
 dev-lang/lua/files/lua-5.1.5-make.patch       |  97 -------------
 dev-lang/lua/files/lua-5.3.6-make.patch       |  91 -------------
 dev-lang/lua/files/lua-5.4.2-r2-make.patch    |  99 --------------
 dev-lang/lua/files/lua.pc                     |  31 -----
 dev-lang/lua/lua-5.1.5-r109.ebuild            | 145 --------------------
 dev-lang/lua/lua-5.3.6-r5.ebuild              | 187 --------------------------
 dev-lang/lua/lua-5.4.4-r2.ebuild              | 184 -------------------------
 dev-lang/lua/metadata.xml                     |  23 ++--
 13 files changed, 11 insertions(+), 942 deletions(-)
Comment 25 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 02:57:24 UTC
Oh, 5.1.6-r2 was eventually renamed to 5.1.5-r200.
Comment 26 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:02:28 UTC
GLSA request filed
Comment 27 David Seifert gentoo-dev 2022-10-14 09:39:50 UTC
(In reply to John Helmert III from comment #25)
> Oh, 5.1.6-r2 was eventually renamed to 5.1.5-r200.

Yup, that was my mistake.
Comment 28 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 16:37:02 UTC
(In reply to David Seifert from comment #27)
> (In reply to John Helmert III from comment #25)
> > Oh, 5.1.6-r2 was eventually renamed to 5.1.5-r200.
> 
> Yup, that was my mistake.

No worries! Just noting that's why I'm waffling with summary