Bug 27213

'lua' has no constant maintainer, so having to assign this bug globally.

Assignee: bugsquad => pkg-bugs

Lua 5.1 does not contain the problematic code.

CC: (none) => nicolas.salguero
Source RPM: lua-5.2.4-6.mga8.src.rpm, lua5.1-5.1.5-15.mga8.src.rpm, lua5.3-5.3.5-4.mga8.src.rpm => lua-5.2.4-6.mga8.src.rpm, lua5.3-5.3.5-4.mga8.src.rpm

Suggested advisory:
========================

The updated packages fix a security vulnerability:

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31). (CVE-2020-24370)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24370
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QXYMCIUNGK26VHAYHGP5LPW56G2KWOHQ/
========================

Updated packages in core/updates_testing:
========================
lua-5.2.4-3.1.mga7
lib(64)lua5.2-5.2.4-3.1.mga7
lib(64)lua-devel-5.2.4-3.1.mga7
lib(64)lua-static-devel-5.2.4-3.1.mga7
lua5.3-5.3.5-2.1.mga7
lib(64)lua5.3-5.3.5-2.1.mga7
lib(64)lua5.3-devel-5.3.5-2.1.mga7
lib(64)lua5.3-static-devel-5.3.5-2.1.mga7

from SRPMS:
lua-5.2.4-3.1.mga7.src.rpm
lua5.3-5.3.5-2.1.mga7.src.rpm

CVE: (none) => CVE-2020-24370
Whiteboard: MGA7TOO => (none)
Source RPM: lua-5.2.4-6.mga8.src.rpm, lua5.3-5.3.5-4.mga8.src.rpm => lua-5.2.4-3.mga7.src.rpm, lua5.3-5.3.5-2.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 7

Before updates:
lua5.3-5.3.5-2.mga7
lib64lua5.2-5.2.4-3.mga7
lib64lua-devel-5.2.4-3.mga7
lua-5.2.4-3.mga7
lib64lua5.1-5.1.5-13.mga7
lib64texlua5-20180414-12.mga7
lib64lua-static-devel-5.2.4-3.mga7
lib64lua5.3-5.3.5-2.mga7
lua5.1-5.1.5-13.mga7
lua-posix-33.4.0-1.mga7

CVE-2020-24370
PoC
http://lua-users.org/lists/lua-l/2020-07/msg00324.html
$ lua
Lua 5.3.5  Copyright (C) 1994-2018 Lua.org, PUC-Rio
> firsttime =
>> 
>>     true function foo() if firsttime then do print(debug.getlocal(3, 2 ^ 31))
>> 
>>         end end end print(load(foo))
Segmentation fault (core dumped)

Updating did not run smoothly because of package version conflicts.
After updates:
lib64lua-static-devel-5.2.4-3.1.mga7
lib64lua5.2-5.2.4-3.1.mga7
lua-5.2.4-3.1.mga7
lua5.3-5.3.5-2.1.mga7
lib64lua5.3-5.3.5-2.1.mga7
lib64lua5.1-5.1.5-13.mga7
lib64texlua5-20180414-12.mga7
lib64lua-devel-5.2.4-3.1.mga7
lua5.1-5.1.5-13.mga7
lua-posix-33.4.0-1.mga7

Removed lua5.1 because there was nothing inthe whatrequires list which looked important.
The PoC returned a good result.
$ lua
Lua 5.3.5  Copyright (C) 1994-2018 Lua.org, PUC-Rio
> firsttime =
>> 
>>     true function foo() if firsttime then do print(debug.getlocal(3, 2 ^ 31))
>> 
>>         end end end print(load(foo))
nil
function: 0xc07e90
> 
Ctrl-D
$

$ ll /etc/alternatives/lua
lrwxrwxrwx 1 root root 15 Sep  3 12:18 /etc/alternatives/lua -> /usr/bin/lua5.3*

Commandline execution:
$ lua -e "local x=0; for i=1,1e9 do x=x+i end; print(x)"
500000000500000000
$ lua5.2 -e "local x=0; for i=1,1e9 do x=x+i end; print(x)"
5.0000000006711e+17

liblua5.3 is listed as required by apache, conky, celestia, darktable, gnuplot, podofo, rpm, neovim .....

$ strace -o celestia.trace celestia
<celestia functioning normally>
$ grep lua celestia.trace
openat(AT_FDCWD, "/lib64/liblua.so.5.3", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/liblua.so.5.3", O_RDONLY) = 13
openat(AT_FDCWD, "/usr/lib64/liblua.so.5.3", O_RDONLY) = 21

Reckon this is good enough for an OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Validating, Advisory and packages in Comment 3.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0362.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED