Dewayne Geraghty
2020-Jul-23 01:49 UTC
Current vulnerabilities of lua and luajit appear in China's database
I'm unsure of how to proceed regarding the vulnerability notifications at http://www.cnnvd.org.cn/ which affects all lua and luajit versions on FreeBSD. Normally I'd wait for the US CERT notification. However lua is part of the base FreeBSD and per /usr/src/contrib/lua/README we're using lua 5.3.5 which is vulnerable. Reading the lua patch at https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312 I'm unable to reach any opinion regarding the vulnerability description at http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-1362 which Google translate states as: "There is a buffer error vulnerability in Lua 5.4.0 and earlier versions. The vulnerability stems from the fact that when the network system or product performs operations on the memory, the data boundary is not correctly verified, resulting in incorrect read and write operations to other associated memory locations. Attackers can use this vulnerability to cause buffer overflow or heap overflow." Following the github thread it looks like a heap overflow. The patches for luajit and lua patches were committed 10 & 12 days ago respectively. Our ports tree contains: lua53, lua52, lua51 and luajit 2.0.5 and a OpenResty Inc branch for 2.1.20200102 (Makefile's LUAJIT_VERSION2.1.0-beta3) Should this be raised for vuxml? Do others have any experience regarding confidence in cnnvd.org.au? (I haven't established a trust with its assertions nor their accuracy, whereas I've relied upon CERT and later US CERT (& auscert.org.au) for years.) Kind regards, Dewayne.
Kyle Evans
2020-Jul-28 03:52 UTC
Current vulnerabilities of lua and luajit appear in China's database
On Wed, Jul 22, 2020 at 8:52 PM Dewayne Geraghty <dewayne at heuristicsystems.com.au> wrote:> > I'm unsure of how to proceed regarding the vulnerability notifications > at http://www.cnnvd.org.cn/ which affects all lua and luajit versions on > FreeBSD. Normally I'd wait for the US CERT notification. However lua is > part of the base FreeBSD and per /usr/src/contrib/lua/README we're using > lua 5.3.5 which is vulnerable. > > Reading the lua patch at > https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312 > I'm unable to reach any opinion regarding the vulnerability description > at http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-1362 > which Google translate states as: > "There is a buffer error vulnerability in Lua 5.4.0 and earlier > versions. The vulnerability stems from the fact that when the network > system or product performs operations on the memory, the data boundary > is not correctly verified, resulting in incorrect read and write > operations to other associated memory locations. Attackers can use this > vulnerability to cause buffer overflow or heap overflow." > Following the github thread it looks like a heap overflow. > > The patches for luajit and lua patches were committed 10 & 12 days ago > respectively. > > Our ports tree contains: lua53, lua52, lua51 and luajit 2.0.5 and a > OpenResty Inc branch for 2.1.20200102 (Makefile's LUAJIT_VERSION> 2.1.0-beta3) > > Should this be raised for vuxml? > Do others have any experience regarding confidence in cnnvd.org.au? > (I haven't established a trust with its assertions nor their accuracy, > whereas I've relied upon CERT and later US CERT (& auscert.org.au) for > years.) >Hi, Sorry, I see that you've now gone without response for days on this. =-( I discussed this shortly after you posted with someone much closer to the Lua community; to generally summarize the situation: - The lua commit you/they linked is specifically for a 5.4.0-only bug, and we don't yet have a lua54 port - At the time, it was believed the LuaJIT one had little or no security implications; indeed, Mike Pall's confirmed (only 18 hours ago, mind you) that this is the case: https://github.com/LuaJIT/LuaJIT/issues/601 - There are some 5.3 bugs open and the 5.3.6 release cycle started a little while ago, but there's no indication of anything to worry about here as far as security issues go. In short, these reports appear to be bogus, or at least nothing for us to worry about. Thanks, Kyle Evans