Date: Mon, 27 Jul 2020 22:52:12 -0500 From: Kyle Evans <kevans@freebsd.org> To: Dewayne Geraghty <dewayne@heuristicsystems.com.au> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: Current vulnerabilities of lua and luajit appear in China's database Message-ID: <CACNAnaH51prWrKkpUXKbjeHaQcYRv-_xGd9bLjad6DbSFSJVpw@mail.gmail.com> In-Reply-To: <76130141-2eae-f34f-5043-7897f316aa73@heuristicsystems.com.au> References: <76130141-2eae-f34f-5043-7897f316aa73@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 22, 2020 at 8:52 PM Dewayne Geraghty <dewayne@heuristicsystems.com.au> wrote: > > I'm unsure of how to proceed regarding the vulnerability notifications > at http://www.cnnvd.org.cn/ which affects all lua and luajit versions on > FreeBSD. Normally I'd wait for the US CERT notification. However lua is > part of the base FreeBSD and per /usr/src/contrib/lua/README we're using > lua 5.3.5 which is vulnerable. > > Reading the lua patch at > https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312 > I'm unable to reach any opinion regarding the vulnerability description > at http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-1362 > which Google translate states as: > "There is a buffer error vulnerability in Lua 5.4.0 and earlier > versions. The vulnerability stems from the fact that when the network > system or product performs operations on the memory, the data boundary > is not correctly verified, resulting in incorrect read and write > operations to other associated memory locations. Attackers can use this > vulnerability to cause buffer overflow or heap overflow." > Following the github thread it looks like a heap overflow. > > The patches for luajit and lua patches were committed 10 & 12 days ago > respectively. > > Our ports tree contains: lua53, lua52, lua51 and luajit 2.0.5 and a > OpenResty Inc branch for 2.1.20200102 (Makefile's LUAJIT_VERSION= > 2.1.0-beta3) > > Should this be raised for vuxml? > Do others have any experience regarding confidence in cnnvd.org.au? > (I haven't established a trust with its assertions nor their accuracy, > whereas I've relied upon CERT and later US CERT (& auscert.org.au) for > years.) > Hi, Sorry, I see that you've now gone without response for days on this. =-( I discussed this shortly after you posted with someone much closer to the Lua community; to generally summarize the situation: - The lua commit you/they linked is specifically for a 5.4.0-only bug, and we don't yet have a lua54 port - At the time, it was believed the LuaJIT one had little or no security implications; indeed, Mike Pall's confirmed (only 18 hours ago, mind you) that this is the case: https://github.com/LuaJIT/LuaJIT/issues/601 - There are some 5.3 bugs open and the 5.3.6 release cycle started a little while ago, but there's no indication of anything to worry about here as far as security issues go. In short, these reports appear to be bogus, or at least nothing for us to worry about. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaH51prWrKkpUXKbjeHaQcYRv-_xGd9bLjad6DbSFSJVpw>