Current vulnerabilities of lua and luajit appear in China's database

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Current vulnerabilities of lua and luajit appear in China's database

Dewayne Geraghty-6
I'm unsure of how to proceed regarding the vulnerability notifications
at http://www.cnnvd.org.cn/ which affects all lua and luajit versions on
FreeBSD.  Normally I'd wait for the US CERT notification. However lua is
part of the base FreeBSD and per /usr/src/contrib/lua/README we're using
lua 5.3.5 which is vulnerable.

Reading the lua patch at
https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312
I'm unable to reach any opinion regarding the vulnerability description
at http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-1362
which Google translate states as:
"There is a buffer error vulnerability in Lua 5.4.0 and earlier
versions. The vulnerability stems from the fact that when the network
system or product performs operations on the memory, the data boundary
is not correctly verified, resulting in incorrect read and write
operations to other associated memory locations. Attackers can use this
vulnerability to cause buffer overflow or heap overflow."
Following the github thread it looks like a heap overflow.

The patches for luajit and lua patches were committed 10 & 12 days ago
respectively.

Our ports tree contains: lua53, lua52, lua51 and luajit 2.0.5 and a
OpenResty Inc branch for 2.1.20200102 (Makefile's LUAJIT_VERSION=
2.1.0-beta3)

Should this be raised for vuxml?
Do others have any experience regarding confidence in cnnvd.org.au?
(I haven't established a trust with its assertions nor their accuracy,
whereas I've relied upon CERT and later US CERT (& auscert.org.au) for
years.)

Kind regards, Dewayne.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Current vulnerabilities of lua and luajit appear in China's database

Kyle Evans-3
On Wed, Jul 22, 2020 at 8:52 PM Dewayne Geraghty
<[hidden email]> wrote:

>
> I'm unsure of how to proceed regarding the vulnerability notifications
> at http://www.cnnvd.org.cn/ which affects all lua and luajit versions on
> FreeBSD.  Normally I'd wait for the US CERT notification. However lua is
> part of the base FreeBSD and per /usr/src/contrib/lua/README we're using
> lua 5.3.5 which is vulnerable.
>
> Reading the lua patch at
> https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312
> I'm unable to reach any opinion regarding the vulnerability description
> at http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-1362
> which Google translate states as:
> "There is a buffer error vulnerability in Lua 5.4.0 and earlier
> versions. The vulnerability stems from the fact that when the network
> system or product performs operations on the memory, the data boundary
> is not correctly verified, resulting in incorrect read and write
> operations to other associated memory locations. Attackers can use this
> vulnerability to cause buffer overflow or heap overflow."
> Following the github thread it looks like a heap overflow.
>
> The patches for luajit and lua patches were committed 10 & 12 days ago
> respectively.
>
> Our ports tree contains: lua53, lua52, lua51 and luajit 2.0.5 and a
> OpenResty Inc branch for 2.1.20200102 (Makefile's LUAJIT_VERSION=
> 2.1.0-beta3)
>
> Should this be raised for vuxml?
> Do others have any experience regarding confidence in cnnvd.org.au?
> (I haven't established a trust with its assertions nor their accuracy,
> whereas I've relied upon CERT and later US CERT (& auscert.org.au) for
> years.)
>

Hi,

Sorry, I see that you've now gone without response for days on this. =-(

I discussed this shortly after you posted with someone much closer to
the Lua community; to generally summarize the situation:

- The lua commit you/they linked is specifically for a 5.4.0-only bug,
and we don't yet have a lua54 port
- At the time, it was believed the LuaJIT one had little or no
security implications; indeed, Mike Pall's confirmed (only 18 hours
ago, mind you) that this is the case:
https://github.com/LuaJIT/LuaJIT/issues/601
- There are some 5.3 bugs open and the 5.3.6 release cycle started a
little while ago, but there's no indication of anything to worry about
here as far as security issues go.

In short, these reports appear to be bogus, or at least nothing for us
to worry about.

Thanks,

Kyle Evans
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"