From owner-freebsd-security@freebsd.org  Thu Jul 23 01:52:40 2020
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A12A83681E8
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Thu, 23 Jul 2020 01:52:40 +0000 (UTC)
 (envelope-from dewayne@heuristicsystems.com.au)
Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au
 [203.41.22.115])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2560 bits) client-digest SHA256)
 (Client CN "hermes.heuristicsystems.com.au",
 Issuer "Heuristic Systems Type 4 Host CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BBwM95R2Bz3Y5d
 for <freebsd-security@FreeBSD.org>; Thu, 23 Jul 2020 01:52:37 +0000 (UTC)
 (envelope-from dewayne@heuristicsystems.com.au)
Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0)
 by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id
 06N1oUYn055861
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
 for <freebsd-security@FreeBSD.org>; Thu, 23 Jul 2020 11:50:31 +1000 (AEST)
 (envelope-from dewayne@heuristicsystems.com.au)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=heuristicsystems.com.au; s=hsa; t=1595469031; x=1596073832;
 bh=1Ul0Uyl8YAQw8s6QO2txf0b2Q77QQyjSZRrQ9OkHixA=;
 h=From:Subject:To:Message-ID:Date;
 b=DSnDmkzpK3LUAb5PEjQ1abnPh49qric3yqYy9Nectky/mxnX0XJHCyJJfAiLMViOC
 XD18BjwwxnIk5fkuMMCUQZg85VIcru2OxQTRANzueFiXD1hkxOxUky9T96maYWr0Rp
 lXCEIMmODMHc5s/JeZetffHu0OX1mgXyalT9bCSrZ23mpktJl3u7B
X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be
 [10.0.5.3]
From: Dewayne Geraghty <dewayne@heuristicsystems.com.au>
Subject: Current vulnerabilities of lua and luajit appear in China's database
Autocrypt: addr=dewayne@heuristicsystems.com.au; prefer-encrypt=mutual;
 keydata=
 mQFNBFbOsVMBCgDfvi2PspSwoMEtFhF+aFLQKtzSA9f0dhDqthKHESdfbqxvKzhkBjvTJ5Na
 EgjKoKfoQTh5xuIv3HLhtDo5PeasPgQl9cPJeriqmqlS+UhY5BGYcMc1AO/TX0fsDaQz96ko
 at3RUW7sff/qPgVzSurk+DV5h866gPdn5Jdjohyl2F1rzRl6dnaAIyg49zlwZOnPHJGKye+B
 meqUCnPRglhkpNqXR3v1ulbWpfwhdNDvWT82qTG/qsFy/agjJvxwLuEBeoGc1dPWasO8Nztt
 0dqf1Lpeg6SX2yJd76WVS4znt88OEbx/QL2PTJ/YtSepS68WaeKuARKPukkU+QXDep0gaLPl
 /TvU5xAZndNB3rYnpmoLb32pDHlrJbZUVyTMqc3J2EYM6aaizCpg4VEvVpVSqUT4D9MuREhu
 PeZ3SvEazQARAQABiQF3BB8BCAAhBQJWzrFTFwyAAWHe5yZt8RJL0vaU1MfDto5dBmeFAgcA
 AAoJEJVk7a1LmFrdy2QJ/AysDdFIMCRiaqEellprZQyEz5I/qZJEi6yRfXH813hhISFz6moh
 urZYLQ9SRdyMntT8W3Oc4pJc9fF9RSnY0SSQY/arZbrvsv6hKb1KtIK7P5mLS914J9buxEcJ
 SWeVuOuMA9aCNqg5uMu19pH5pXayORfbv+K7vFPiyllZ64ShUWZJL69vAc/TsbvMrGtG1M4P
 qyWCOKEiUT93zhVGQoA0aUYjMAZoyvozZCuieo4O8hkPgMz9lka+3bqQBSOB+qO4Iz+CZs0k
 Lw7Soga6bRqLK86DH99WjTA6Oj1r8Won+j4V9fnTDCVJoSyqdVHLySDv/lHaNu4Ia4AO4i2d
 shmLw03gOUvoWLJx5X01A5Zio4FvecnpZqQ0Wz5Ph9MiK3lwarfjonTOLeNGd5BpdnHu5VRC
 fJml7uAYeyKsD8C4tEBEZXdheW5lIEdlcmFnaHR5IDxkZXdheW5lLmdlcmFnaHR5QGNvbnNj
 aXVtaW50ZXJuYXRpb25hbC5jb20uYXU+iQGXBBMBCABBAhshCwsKDQkIDAcLAwIECBUKCQgL
 AwIBBRYDAgEAAh4BAheAFiEEC8bIxjMx+sDl4ZCClWTtrUuYWt0FAl5UUOgACgkQlWTtrUuY
 Wt3xZAn/W/mq5nDhLIfqxVM9GbU8rGzNsGLfnt5NCVcWlBKhgxOOw9EWkcRTMymwX9OMqwxI
 +te6Gvy7rG53T2xprtsQyqESZmjWcUSEPsQ9hjw4VZCL15ftBeZMYyO2T1e41UImXAlftleT
 2kXCktgyAfwfCzHhFiZM8k9QMFQV1x+JukJ9xPFBgICRLsLsVNVw/R1L7KqARuws4HqXxY1J
 SCpO+FB4b6tWSIRKbzlb6tctdKppKbG/adVYuoK61ngvmsAzy/9OLhF8u1MNCgyFd2woOErh
 /zyuap8KvJZMlwAIqpjsoHyXsa0cq8A/uNQSmodwBpRsEGXCmZIZq2FJw6N+38to8C8m97q0
 YWrY63VsoA6hA4A4/ywzE3EiwGvqJQBMRv2ET3TIdTyLoEIwXq2bDPU7XTZGh5UZEsKFMHH5 228=
To: "freebsd-security@freebsd.org" <freebsd-security@FreeBSD.org>
Message-ID: <76130141-2eae-f34f-5043-7897f316aa73@heuristicsystems.com.au>
Date: Thu, 23 Jul 2020 11:49:14 +1000
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4BBwM95R2Bz3Y5d
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b=DSnDmkzp;
 dmarc=none;
 spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au
 designates 203.41.22.115 as permitted sender)
 smtp.mailfrom=dewayne@heuristicsystems.com.au
X-Spamd-Result: default: False [-5.46 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 ARC_NA(0.00)[];
 R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa];
 MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[];
 DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au:dkim];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
 RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-0.98)[-0.981];
 DMARC_NA(0.00)[heuristicsystems.com.au];
 RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from];
 DKIM_TRACE(0.00)[heuristicsystems.com.au:+];
 NEURAL_HAM_SHORT(-0.26)[-0.264]; TO_DN_EQ_ADDR_ALL(0.00)[];
 NEURAL_HAM_MEDIUM(-1.02)[-1.018]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 01:52:40 -0000

I'm unsure of how to proceed regarding the vulnerability notifications
at http://www.cnnvd.org.cn/ which affects all lua and luajit versions on
FreeBSD.  Normally I'd wait for the US CERT notification. However lua is
part of the base FreeBSD and per /usr/src/contrib/lua/README we're using
lua 5.3.5 which is vulnerable.

Reading the lua patch at
https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312
I'm unable to reach any opinion regarding the vulnerability description
at http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-1362
which Google translate states as:
"There is a buffer error vulnerability in Lua 5.4.0 and earlier
versions. The vulnerability stems from the fact that when the network
system or product performs operations on the memory, the data boundary
is not correctly verified, resulting in incorrect read and write
operations to other associated memory locations. Attackers can use this
vulnerability to cause buffer overflow or heap overflow."
Following the github thread it looks like a heap overflow.

The patches for luajit and lua patches were committed 10 & 12 days ago
respectively.

Our ports tree contains: lua53, lua52, lua51 and luajit 2.0.5 and a
OpenResty Inc branch for 2.1.20200102 (Makefile's LUAJIT_VERSION=
2.1.0-beta3)

Should this be raised for vuxml?
Do others have any experience regarding confidence in cnnvd.org.au?
(I haven't established a trust with its assertions nor their accuracy,
whereas I've relied upon CERT and later US CERT (& auscert.org.au) for
years.)

Kind regards, Dewayne.