Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Jul 2020 11:49:14 +1000
From:      Dewayne Geraghty <dewayne@heuristicsystems.com.au>
To:        "freebsd-security@freebsd.org" <freebsd-security@FreeBSD.org>
Subject:   Current vulnerabilities of lua and luajit appear in China's database
Message-ID:  <76130141-2eae-f34f-5043-7897f316aa73@heuristicsystems.com.au>
next in thread | raw e-mail | index | archive | help 
I'm unsure of how to proceed regarding the vulnerability notifications
at http://www.cnnvd.org.cn/ which affects all lua and luajit versions on
FreeBSD.  Normally I'd wait for the US CERT notification. However lua is
part of the base FreeBSD and per /usr/src/contrib/lua/README we're using
lua 5.3.5 which is vulnerable.

Reading the lua patch at
https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312
I'm unable to reach any opinion regarding the vulnerability description
at http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-1362
which Google translate states as:
"There is a buffer error vulnerability in Lua 5.4.0 and earlier
versions. The vulnerability stems from the fact that when the network
system or product performs operations on the memory, the data boundary
is not correctly verified, resulting in incorrect read and write
operations to other associated memory locations. Attackers can use this
vulnerability to cause buffer overflow or heap overflow."
Following the github thread it looks like a heap overflow.

The patches for luajit and lua patches were committed 10 & 12 days ago
respectively.

Our ports tree contains: lua53, lua52, lua51 and luajit 2.0.5 and a
OpenResty Inc branch for 2.1.20200102 (Makefile's LUAJIT_VERSION=
2.1.0-beta3)

Should this be raised for vuxml?
Do others have any experience regarding confidence in cnnvd.org.au?
(I haven't established a trust with its assertions nor their accuracy,
whereas I've relied upon CERT and later US CERT (& auscert.org.au) for
years.)

Kind regards, Dewayne.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?76130141-2eae-f34f-5043-7897f316aa73>