Bug 14038

More info here: http://www.lua.org/bugs.html#5.2.2-1
Upstream claims it only affects lua since version 5.1, so I won't patch lua5.0.

I couldn't reproduce the issue on my 64bit machine and on a 64bit VM, I'll try 32bit.

CC: (none) => remi

Patched packages pushed for Mageia 3 and Mageia 4 (lua and lua5.1) and Cauldron (lua5.1). Will prepare an advisory.

Assignee: thierry.vignaud => remi

I could reproduce the stack overflow on Mageia 3 32bit with lua 5.2 (not with lua5.1 though).

Suggested advisory
==================

Updated lua and lua5.1 packages fix security vulnerability

  A heap-based overflow vulnerability was found in the way Lua, a simple,
  extensible, embeddable programming language, handles varargs functions with many
  fixed parameters called with few arguments, leading to application crashes or,
  potentially, arbitrary code execution.

References:
 - http://openwall.com/lists/oss-security/2014/08/27/2
 - http://www.lua.org/bugs.html#5.2.2-1


RPMs in core/updates_testing
============================
lua5.1-5.1.5-2.2.mga3.x86_64
lib64lua5.1-5.1.5-2.2.mga3.x86_64
lib64lua5.1-devel-5.1.5-2.2.mga3.x86_64
lib64lua5.1-devel-static-5.1.5-2.2.mga3.x86_64

lua-5.2.2-1.1.mga3.x86_64
lib64lua5.2-5.2.2-1.1.mga3.x86_64
lib64lua-devel-5.2.2-1.1.mga3.x86_64
lib64lua-static-devel-5.2.2-1.1.mga3.x86_64

lua5.1-5.1.5-4.1.mga4.x86_64
lib64lua5.1-5.1.5-4.1.mga4.x86_64
lib64lua5.1-devel-5.1.5-4.1.mga4.x86_64
lib64lua5.1-devel-static-5.1.5-4.1.mga4.x86_64

lua-5.2.2-2.1.mga4.x86_64
lib64lua5.2-5.2.2-2.1.mga4.x86_64
lib64lua-devel-5.2.2-2.1.mga4.x86_64
lib64lua-static-devel-5.2.2-2.1.mga4.x86_64


SRPMs
=====
lua5.1-5.1.5-2.2.mga3
lua-5.2.2-1.1.mga3

lua5.1-5.1.5-4.1.mga4
lua-5.2.2-2.1.mga3

Assignee: remi => qa-bugs

To try to reproduce the issue (note that it doesn't work on all machines), run "lua5.2" and copy paste the following snippet in the interpreter:

-- snippet begins
function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
           p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
           p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
           p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
           p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
  local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
end

f()   -- crashes on some machines
-- snippet ends


If you see something like *** Error in `lua5.2': malloc(): memory corruption: 0x09a336a8 ***, then you've successfully reproduced the issue that the update candidate is meant to fix.

Follow the same procedure with "lua5.1" instead of lua5.2.

Thanks Rémi!

Just some minor advisory tweaks.

Advisory:
========================

Updated lua and lua5.1 packages fix security vulnerability:

A heap-based overflow vulnerability was found in the way Lua handles varargs
functions with many fixed parameters called with few arguments, leading to
application crashes or, potentially, arbitrary code execution (CVE-2014-5461).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461
http://www.lua.org/bugs.html#5.2.2-1
https://www.debian.org/security/2014/dsa-3015
https://www.debian.org/security/2014/dsa-3016

Tested on Mageia 3 i586 and Mageia 4 i586.

I could reproduce the issue with lua (lua 5.2) on Mageia 3 and Mageia 4.

I could not reproduce the issue with lua5.1 or lua5.0 on either.

After installing the updates, the snippet runs without issues.

Whiteboard: MGA3TOO => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Tested on Mageia 4 x86_64.

The malloc error occurred with lua5.1 (from updates testing).

No error with lua5.2 after updating.

Maybe I should go back and check lua5.1 before and after?

CC: (none) => tarazed25

Len, did you also update liblua5.1?

Yes, and the devel lib.

I find that I cannot now revert without removing a cartload of other packages.

Since you were testing on x86_64, it would have been lib64lua5.1 actually, did you update that one?

You can revert the update, but you can't just uninstall these packages since they're required by stuff.  You can either download the release versions and rpm -Uvh --force them, or use urpmi --downgrade lua5.1 lib64lua5.1.

Yes, it was the 64bit library.  And thanks for the rpm tip.
When I have time I shall repeat the tests on another machine and record everything.

The downgrade option did the trick.

Disabled core updates testing and invoked lua5.1 explicitly.  The snippet ran without any errors this time.

Enabled updates testing and upgraded lua5.1 and lib64lua5.1.  Again, the snippet ran without errors.

So, we are now in agreement.  Looks like MGA4-64-OK.

Fantastic.  Thanks Len.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK

Testing on Mageia3-64 (real HW), following procedure from comment 5

Before :
------

- lua-5.1-5.1.5-2.1.mga3.x86_64
No error found in the interpreter with the snippet.


- lua-5.2.2-1.mga3.x86_64
Could reproduce the error :
*** Error in `lua5.2': malloc(): memory corruption: 0x0000000001780fa0 ***


After :
-----

Installing updates-testing :
- lib64lua5.1-5.1.5-2.2.mga3.x86_64
- lib64lua5.2-5.2.2-1.1.mga3.x86_64
- lua-5.2.2-1.1.mga3.x86_64
- lua5.1-5.1.5-2.2.mga3.x86_64

Ran the same test, no error found in lua5.1 and lua5.2

Mageia3-64 OK then

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Advisory uploaded. Validating update, please push lua5.1 and lua to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0414.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED