Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717780 (CVE-2019-6706, CVE-2020-15888, CVE-2020-15889, CVE-2020-15945, CVE-2020-24342, CVE-2020-24369, CVE-2020-24370, CVE-2020-24371) - dev-lang/lua: Multiple vulnerabilities (CVE-2019-6706, CVE-2020-{15945,15888,15889,24342,24369,24370,24371})
Summary: dev-lang/lua: Multiple vulnerabilities (CVE-2019-6706, CVE-2020-{15945,15888,...
Status: IN_PROGRESS
Alias: CVE-2019-6706, CVE-2020-15888, CVE-2020-15889, CVE-2020-15945, CVE-2020-24342, CVE-2020-24369, CVE-2020-24370, CVE-2020-24371
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream/ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-17 01:37 UTC by GLSAMaker/CVETool Bot
Modified: 2020-08-20 15:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 01:37:17 UTC
CVE-2019-6706 (https://nvd.nist.gov/vuln/detail/CVE-2019-6706):
  Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a
  crash outcome might be achieved by an attacker who is able to trigger a
  debug.upvaluejoin call in which the arguments have certain relationships.


----
Ubuntu have applied this patch: https://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0.18.10.1.diff.gz (viewable in browser)
Comment 1 Sam James archtester gentoo-dev Security 2020-06-13 17:01:48 UTC
ping
Comment 2 John Helmert III (ajak) 2020-07-22 00:53:19 UTC
CVE-2020-15889:

Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.

CVE-2020-15888:

Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.
Comment 3 Sam James archtester gentoo-dev Security 2020-07-25 02:44:06 UTC
* CVE-2020-15945

"Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function."

http://lua-users.org/lists/lua-l/2020-07/msg00123.html
https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3
Comment 4 John Helmert III (ajak) 2020-08-13 23:31:12 UTC
(In reply to John Helmert III (ajak) from comment #2)
> CVE-2020-15889:
> 
> Lua through 5.4.0 mishandles the interaction between stack resizes and
> garbage collection, leading to a heap-based buffer overflow, heap-based
> buffer over-read, or use-after-free.

Patch: https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312

> CVE-2020-15888:
> 
> Lua through 5.4.0 has a getobjname heap-based buffer over-read because
> youngcollection in lgc.c uses markold for an insufficient number of list
> members.

Patches: https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7
https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5


CVE-2020-24342:

Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.

Patch: https://github.com/lua/lua/commit/34affe7a63fc5d842580a9f23616d057e17dfe27
Comment 5 John Helmert III (ajak) 2020-08-18 16:00:04 UTC
CVE-2020-24369:

ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.

Patch: https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a

CVE-2020-24370:

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).

Patch: https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b

CVE-2020-24371:

lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.

Patch: https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110
Comment 6 Sam James archtester gentoo-dev Security 2020-08-20 10:57:49 UTC
ping
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 15:49:29 UTC
sam:
1. Lua 5.4 is not yet packaged in Gentoo, CVEs that affect only 5.4 (and not older series) don't impact us.
2. Upstream does not make further point releases in old series, making this harder to roll quickly