Date: Wed, 27 Aug 2014 01:20:39 -0400 (EDT) From: cve-assign@...re.org To: fweimer@...hat.com, mmcallis@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://www.lua.org/bugs.html#5.2.2-1 > Stack overflow in vararg functions with many fixed parameters called with few arguments. Use CVE-2014-5461. > Lua has some sandboxing functionality, but it can be bypassed by > supplying precompiled bytecode. There have been extensive discussions > about this on the lua-users mailing list, e.g.: > > <http://lua-users.org/lists/lua-l/2011-10/msg01215.html> We did not immediately find information to decide on the number of CVE IDs. Picking a few random frames from http://www.youtube.com/watch?v=OSMOTDLrBCQ suggested that approximately three CVE-2011-#### IDs could be assigned. If anyone has better information, or even the same information in a text format, that could be useful (if the CVE-2011-#### IDs are needed). - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT/WotAAoJEKllVAevmvmsIakH/00bWTQa336V/umZwZBZdlf1 hRxiiKg+ra2kDTHaZTqF/bz4j6LPrsYXD2antj9V2VoI3iMgxOemdajYC9Um3QDq x9ocSRDnxoxsMhvapO+2Y0DsnaHzWwj008mTB1Sl5OuEPTnNK3V4gRlMErZU4Mi/ meJqBDfh4XemDnQ+3TtAbf6FeY/eDTOIujf118uSDYdw77r7vig217X7rbH2BFAt 9QPjWylkGyXiX2P+C6k4TbSBLfMpyzHNBE9CTtrm7FV0wsjzll7F6ylpOaeS3VwH G5TRK4lZQqoRMauiERyaCZ2rJZGQKUyV2LPbtn7F5B7pjun1Hei8rv2fKoGPej4= =DZHj -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ