Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520480 (CVE-2014-5461) - <dev-lang/lua-{5.1.5-r4,5.2.3}: overflow flaw in vararg functions
Summary: <dev-lang/lua-{5.1.5-r4,5.2.3}: overflow flaw in vararg functions
Alias: CVE-2014-5461
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve ebuild?]
: 606902 (view as bug list)
Depends on:
Reported: 2014-08-22 08:53 UTC by Agostino Sarubbo
Modified: 2021-11-29 16:37 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check-


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-22 08:53:36 UTC
From ${URL} :

An overflow flaw was fixed in Lua 5.2.2:

This could cause the application to crash or, potentially, execute arbitrary code. One way an attacker could trigger this issue is if 
they can control parameters to a loadstring call (an eval in Lua,
Although Fedora 20 has 5.2.2, the issue is not resolved there.

@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-09-09 19:15:35 UTC
Original request if ready for stabilization on 8/22. 5.23 is in tree but masked. Please advise what is the status for stabilization, even if the status is not ready, and the reasons (or bugs) that are blocking this.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 13:04:44 UTC
Ping on question on stabilization, please advise. Otherwise will call for stabilization on around October 11, 2014.
Comment 3 Thomas Deutschmann gentoo-dev 2016-11-24 23:49:48 UTC

reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.

CC'ing new maintainer.

@ Maintainer(s): The call for stabilization timed out 2y ago... due to changed maintainer, please advise us how to proceed. >=dev-lang/lua-5.2.3 has to go stable and previous versions needs to get cleaned up.
Comment 4 Thomas Deutschmann gentoo-dev 2016-11-28 18:44:59 UTC
Note: I ping'ed William via IRC. He needs to talk to Rafael first. If we don't get an update from maintainers until 2016-12-30 security will consider next steps.
Comment 5 Rafael Martins (RETIRED) gentoo-dev 2016-11-28 19:14:47 UTC
Should be fixed in -r4
Comment 6 Thomas Deutschmann gentoo-dev 2016-11-28 19:19:53 UTC
OK, maintainer decided to patch existing 5.1.5 version (, thanks!

@ Arches,

please test and mark stable: =dev-lang/lua/lua-5.1.5-r4
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-29 10:41:17 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-29 10:43:40 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2016-11-30 19:31:21 UTC
arm stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-02 14:21:34 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-11 10:37:08 UTC
sparc stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 12:36:16 UTC
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-15 15:51:02 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2017-01-17 14:25:26 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-01-18 10:03:30 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-19 10:49:21 UTC
GLSA request filed.

Another LWN article... "Gentoo patches ancient bug."
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-23 03:32:23 UTC
This issue was resolved and addressed in
 GLSA 201701-53 at
by GLSA coordinator Aaron Bauman (b-man).

@maintainer(s), please cleanup.
Comment 18 Rafael Martins (RETIRED) gentoo-dev 2017-01-23 03:40:08 UTC
(In reply to Aaron Bauman from comment #17)
> This issue was resolved and addressed in
>  GLSA 201701-53 at
> by GLSA coordinator Aaron Bauman (b-man).
> @maintainer(s), please cleanup.

cleaned up. thanks
Comment 19 Gleb 2017-01-23 06:00:32 UTC
I can see that there's no stable dev-lang/lua for amd64 and x84 arches in the tree, what's wrong?
Comment 20 Rafael Martins (RETIRED) gentoo-dev 2017-01-23 09:57:21 UTC
(In reply to Gleb from comment #19)
> I can see that there's no stable dev-lang/lua for amd64 and x84 arches in
> the tree, what's wrong?

yes, for some reason those keywords disappeared from -r4 before I cleaned up the old ebuilds, and repoman failed to warn me. mgorny fixed it while I was away.

Comment 21 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-23 11:35:17 UTC
*** Bug 606902 has been marked as a duplicate of this bug. ***
Comment 22 Simon Becker 2021-11-29 11:01:35 UTC
The patch for this CVE was deleted together with 5.1.5-r4 in commit 94dbb827593747a05def4ea999d8d153e166795e. Moreover, it was never applied to more recent revisions. In my opinion, it should be re-activated for 5.1.5-r106 and kept for future revisions.
Comment 23 NATTkA bot gentoo-dev 2021-11-29 16:37:02 UTC
Unable to check for sanity:

> no match for package: =dev-lang/lua-5.1.5-r4