From owner-freebsd-security@freebsd.org Tue Jul 28 03:52:24 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4DE8137B53B for ; Tue, 28 Jul 2020 03:52:24 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BG2n41NpNz3Xsm for ; Tue, 28 Jul 2020 03:52:24 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 133AC24AF9 for ; Tue, 28 Jul 2020 03:52:24 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qv1-f45.google.com with SMTP id j10so1878903qvo.13 for ; Mon, 27 Jul 2020 20:52:24 -0700 (PDT) X-Gm-Message-State: AOAM531SaQFu9Nvf/T++WIRvs/lPUuoSLsD+FwLgaZ39ci2gZw5yGV75 nBnR3HpYlIdZRtQpqf1nZ9NKoDsZcqmYQcqDECc= X-Google-Smtp-Source: ABdhPJySR6XmKGMtmGtDomn/9ajpbnfpVrvKIWtn2Al8QhwXbSuCRMT45hw2gpPMHoMIj91guF23xbGnqKFyVGHR8Ls= X-Received: by 2002:a0c:b310:: with SMTP id s16mr24862651qve.5.1595908343478; Mon, 27 Jul 2020 20:52:23 -0700 (PDT) MIME-Version: 1.0 References: <76130141-2eae-f34f-5043-7897f316aa73@heuristicsystems.com.au> In-Reply-To: <76130141-2eae-f34f-5043-7897f316aa73@heuristicsystems.com.au> From: Kyle Evans Date: Mon, 27 Jul 2020 22:52:12 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Current vulnerabilities of lua and luajit appear in China's database To: Dewayne Geraghty Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2020 03:52:24 -0000 On Wed, Jul 22, 2020 at 8:52 PM Dewayne Geraghty wrote: > > I'm unsure of how to proceed regarding the vulnerability notifications > at http://www.cnnvd.org.cn/ which affects all lua and luajit versions on > FreeBSD. Normally I'd wait for the US CERT notification. However lua is > part of the base FreeBSD and per /usr/src/contrib/lua/README we're using > lua 5.3.5 which is vulnerable. > > Reading the lua patch at > https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312 > I'm unable to reach any opinion regarding the vulnerability description > at http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-1362 > which Google translate states as: > "There is a buffer error vulnerability in Lua 5.4.0 and earlier > versions. The vulnerability stems from the fact that when the network > system or product performs operations on the memory, the data boundary > is not correctly verified, resulting in incorrect read and write > operations to other associated memory locations. Attackers can use this > vulnerability to cause buffer overflow or heap overflow." > Following the github thread it looks like a heap overflow. > > The patches for luajit and lua patches were committed 10 & 12 days ago > respectively. > > Our ports tree contains: lua53, lua52, lua51 and luajit 2.0.5 and a > OpenResty Inc branch for 2.1.20200102 (Makefile's LUAJIT_VERSION= > 2.1.0-beta3) > > Should this be raised for vuxml? > Do others have any experience regarding confidence in cnnvd.org.au? > (I haven't established a trust with its assertions nor their accuracy, > whereas I've relied upon CERT and later US CERT (& auscert.org.au) for > years.) > Hi, Sorry, I see that you've now gone without response for days on this. =-( I discussed this shortly after you posted with someone much closer to the Lua community; to generally summarize the situation: - The lua commit you/they linked is specifically for a 5.4.0-only bug, and we don't yet have a lua54 port - At the time, it was believed the LuaJIT one had little or no security implications; indeed, Mike Pall's confirmed (only 18 hours ago, mind you) that this is the case: https://github.com/LuaJIT/LuaJIT/issues/601 - There are some 5.3 bugs open and the 5.3.6 release cycle started a little while ago, but there's no indication of anything to worry about here as far as security issues go. In short, these reports appear to be bogus, or at least nothing for us to worry about. Thanks, Kyle Evans