Date: Thu, 21 Aug 2014 16:34:35 +1000 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com Subject: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] Last spam, changing the subject so it is obvious where the issue is. On 08/21/2014 04:33 PM, Murray McAllister wrote: > Additionally, Fedora has 5.2.2, but it does not have the fix, so even if > shipping 5.2.2 it may be worth checking... > > On 08/21/2014 04:31 PM, Murray McAllister wrote: >> Good morning, >> >> An overflow was reported to have been fixed in Lua 5.2.2. A reproducer >> and patch are available from: >> >> http://www.lua.org/bugs.html#5.2.2-1 >> >> The reproducer affects older versions too (such as 5.1.4). One way an >> attacker could trigger this issue is if they can control parameters to a >> loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua). >> >> Could a CVE please be assigned if one has not been already? >> >> Some notes: >> >> valgrind shows this crashes with invalid writes, but I am not sure if >> this is really a stack or heap overflow but something else. In >> luaD_precall(): >> >> 330 for (; n < p->numparams; n++) >> 331 setnilvalue(L->top++); /* complete missing arguments */ >> >> This goes through 49 times with the reproducer (?possibly lifting what >> Lua thinks is the stack into the heap area?). >> >> After that finishes: >> >> 333 ci = next_ci(L); >> >> Results in a call to luaE_extendCI(), where the issue is triggered while >> attempting to call luaM_new() (I did not get further than this yet). >> >> Thanks, >> >> -- >> Murray McAllister / Red Hat Product Security >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1132304 >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ