Debian Bug report logs -
#920321
lua5.3: CVE-2019-6706
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Enrico Tassi <gareuselesinge@debian.org>:
Bug#920321; Package src:lua5.3.
(Thu, 24 Jan 2019 06:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Enrico Tassi <gareuselesinge@debian.org>.
(Thu, 24 Jan 2019 06:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lua5.3
Version: 5.3.3-1.1
Severity: important
Tags: security upstream
Control: found -1 5.3.3-1
Hi,
The following vulnerability was published for lua5.3.
CVE-2019-6706[0]:
| Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For
| example, a crash outcome might be achieved by an attacker who is able
| to trigger a debug.upvaluejoin call in which the arguments have certain
| relationships.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-6706
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions lua5.3/5.3.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 24 Jan 2019 06:06:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Enrico Tassi <gareuselesinge@debian.org>:
Bug#920321; Package src:lua5.3.
(Mon, 08 Apr 2019 18:33:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Enrico Tassi <gareuselesinge@debian.org>.
(Mon, 08 Apr 2019 18:33:11 GMT) (full text, mbox, link).
Message #12 received at 920321@bugs.debian.org (full text, mbox, reply):
On Thu, Jan 24, 2019 at 07:02:59AM +0100, Salvatore Bonaccorso wrote:
> Source: lua5.3
> Version: 5.3.3-1.1
> Severity: important
> Tags: security upstream
> Control: found -1 5.3.3-1
>
> Hi,
>
> The following vulnerability was published for lua5.3.
>
> CVE-2019-6706[0]:
> | Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For
> | example, a crash outcome might be achieved by an attacker who is able
> | to trigger a debug.upvaluejoin call in which the arguments have certain
> | relationships.
Ubuntu fixed this via https://launchpad.net/ubuntu/+source/lua5.3/5.3.3-1ubuntu0.18.10.1 :
http://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0.18.10.1.diff.gz
Leonidas, what's the provenance of that patch (given that upstream doesn't
have a public code repo), has it been reviewed/blessed by the Lua upstream
developers?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Enrico Tassi <gareuselesinge@debian.org>:
Bug#920321; Package src:lua5.3.
(Mon, 08 Apr 2019 23:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Leonidas S. Barbosa" <leo.barbosa@canonical.com>:
Extra info received and forwarded to list. Copy sent to Enrico Tassi <gareuselesinge@debian.org>.
(Mon, 08 Apr 2019 23:03:03 GMT) (full text, mbox, link).
Message #17 received at 920321@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Yep, my bad not had added any info on the patch...said that
The patch can be find here [1]
It was tested against the POC and it fixed the issue.
Any other question, please let me know :)
[1] http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lu
a-upvaluejoin-function-tc7685575.html
Cheers!
On Seg, 2019-04-08 at 20:29 +0200, Moritz Mühlenhoff wrote:
> On Thu, Jan 24, 2019 at 07:02:59AM +0100, Salvatore Bonaccorso wrote:
> >
> > Source: lua5.3
> > Version: 5.3.3-1.1
> > Severity: important
> > Tags: security upstream
> > Control: found -1 5.3.3-1
> >
> > Hi,
> >
> > The following vulnerability was published for lua5.3.
> >
> > CVE-2019-6706[0]:
> > >
> > > Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For
> > > example, a crash outcome might be achieved by an attacker who is
> > > able
> > > to trigger a debug.upvaluejoin call in which the arguments have
> > > certain
> > > relationships.
> Ubuntu fixed this via https://launchpad.net/ubuntu/+source/lua5.3/5.3
> .3-1ubuntu0.18.10.1 :
> http://launchpadlibrarian.net/417853567/lua5.3_5.3.3-1_5.3.3-1ubuntu0
> .18.10.1.diff.gz
>
> Leonidas, what's the provenance of that patch (given that upstream
> doesn't
> have a public code repo), has it been reviewed/blessed by the Lua
> upstream
> developers?
>
> Cheers,
> Moritz
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:15:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon