Bug 14038 - lua new security issue CVE-2014-5461
Summary: lua new security issue CVE-2014-5461
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/610398/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-02 20:34 CEST by David Walser
Modified: 2014-10-23 15:28 CEST (History)
4 users (show)

See Also:
Source RPM: lua5.1, lua
CVE:
Status comment:


Attachments

Description David Walser 2014-09-02 20:34:11 CEST
Debian has issued advisories on September 1:
https://www.debian.org/security/2014/dsa-3015
https://www.debian.org/security/2014/dsa-3016

More details are in this thread:
http://openwall.com/lists/oss-security/2014/08/27/2

According to the RedHat bug, it's already fixed in lua 5.2.3:
https://bugzilla.redhat.com/show_bug.cgi?id=1132304

So Cauldron would just need a fix for lua5.1.

Mageia 3 and Mageia 4 would need fixes for lua and lua5.1.

lua5.0 may also be affected, but I'm not sure.  Apparently there's a reproducer, so this could be checked.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-02 20:34:21 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Rémi Verschelde 2014-10-18 13:10:15 CEST
More info here: http://www.lua.org/bugs.html#5.2.2-1
Upstream claims it only affects lua since version 5.1, so I won't patch lua5.0.

I couldn't reproduce the issue on my 64bit machine and on a 64bit VM, I'll try 32bit.

CC: (none) => remi

Comment 2 Rémi Verschelde 2014-10-18 13:16:15 CEST
Patched packages pushed for Mageia 3 and Mageia 4 (lua and lua5.1) and Cauldron (lua5.1). Will prepare an advisory.

Assignee: thierry.vignaud => remi

Rémi Verschelde 2014-10-18 13:16:29 CEST

Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Rémi Verschelde 2014-10-18 13:16:36 CEST

Hardware: i586 => All
Version: Cauldron => 4

Comment 3 Rémi Verschelde 2014-10-18 13:36:09 CEST
I could reproduce the stack overflow on Mageia 3 32bit with lua 5.2 (not with lua5.1 though).
Comment 4 Rémi Verschelde 2014-10-18 13:58:17 CEST
Suggested advisory
==================

Updated lua and lua5.1 packages fix security vulnerability

  A heap-based overflow vulnerability was found in the way Lua, a simple,
  extensible, embeddable programming language, handles varargs functions with many
  fixed parameters called with few arguments, leading to application crashes or,
  potentially, arbitrary code execution.

References:
 - http://openwall.com/lists/oss-security/2014/08/27/2
 - http://www.lua.org/bugs.html#5.2.2-1


RPMs in core/updates_testing
============================
lua5.1-5.1.5-2.2.mga3.x86_64
lib64lua5.1-5.1.5-2.2.mga3.x86_64
lib64lua5.1-devel-5.1.5-2.2.mga3.x86_64
lib64lua5.1-devel-static-5.1.5-2.2.mga3.x86_64

lua-5.2.2-1.1.mga3.x86_64
lib64lua5.2-5.2.2-1.1.mga3.x86_64
lib64lua-devel-5.2.2-1.1.mga3.x86_64
lib64lua-static-devel-5.2.2-1.1.mga3.x86_64

lua5.1-5.1.5-4.1.mga4.x86_64
lib64lua5.1-5.1.5-4.1.mga4.x86_64
lib64lua5.1-devel-5.1.5-4.1.mga4.x86_64
lib64lua5.1-devel-static-5.1.5-4.1.mga4.x86_64

lua-5.2.2-2.1.mga4.x86_64
lib64lua5.2-5.2.2-2.1.mga4.x86_64
lib64lua-devel-5.2.2-2.1.mga4.x86_64
lib64lua-static-devel-5.2.2-2.1.mga4.x86_64


SRPMs
=====
lua5.1-5.1.5-2.2.mga3
lua-5.2.2-1.1.mga3

lua5.1-5.1.5-4.1.mga4
lua-5.2.2-2.1.mga3

Assignee: remi => qa-bugs

Comment 5 Rémi Verschelde 2014-10-18 14:07:14 CEST
To try to reproduce the issue (note that it doesn't work on all machines), run "lua5.2" and copy paste the following snippet in the interpreter:

-- snippet begins
function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
           p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
           p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
           p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
           p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
  local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
end

f()   -- crashes on some machines
-- snippet ends


If you see something like *** Error in `lua5.2': malloc(): memory corruption: 0x09a336a8 ***, then you've successfully reproduced the issue that the update candidate is meant to fix.

Follow the same procedure with "lua5.1" instead of lua5.2.
Comment 6 David Walser 2014-10-18 15:52:25 CEST
Thanks Rémi!

Just some minor advisory tweaks.

Advisory:
========================

Updated lua and lua5.1 packages fix security vulnerability:

A heap-based overflow vulnerability was found in the way Lua handles varargs
functions with many fixed parameters called with few arguments, leading to
application crashes or, potentially, arbitrary code execution (CVE-2014-5461).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461
http://www.lua.org/bugs.html#5.2.2-1
https://www.debian.org/security/2014/dsa-3015
https://www.debian.org/security/2014/dsa-3016
Comment 7 David Walser 2014-10-18 16:46:32 CEST
Tested on Mageia 3 i586 and Mageia 4 i586.

I could reproduce the issue with lua (lua 5.2) on Mageia 3 and Mageia 4.

I could not reproduce the issue with lua5.1 or lua5.0 on either.

After installing the updates, the snippet runs without issues.

Whiteboard: MGA3TOO => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 8 Len Lawrence 2014-10-18 17:43:23 CEST
Tested on Mageia 4 x86_64.

The malloc error occurred with lua5.1 (from updates testing).

No error with lua5.2 after updating.

Maybe I should go back and check lua5.1 before and after?

CC: (none) => tarazed25

Comment 9 David Walser 2014-10-18 17:50:33 CEST
Len, did you also update liblua5.1?
Comment 10 Len Lawrence 2014-10-18 17:52:38 CEST
Yes, and the devel lib.

I find that I cannot now revert without removing a cartload of other packages.
Comment 11 David Walser 2014-10-18 17:56:59 CEST
Since you were testing on x86_64, it would have been lib64lua5.1 actually, did you update that one?

You can revert the update, but you can't just uninstall these packages since they're required by stuff.  You can either download the release versions and rpm -Uvh --force them, or use urpmi --downgrade lua5.1 lib64lua5.1.
Comment 12 Len Lawrence 2014-10-18 18:36:09 CEST
Yes, it was the 64bit library.  And thanks for the rpm tip.
When I have time I shall repeat the tests on another machine and record everything.
Comment 13 Len Lawrence 2014-10-18 18:57:45 CEST
The downgrade option did the trick.

Disabled core updates testing and invoked lua5.1 explicitly.  The snippet ran without any errors this time.

Enabled updates testing and upgraded lua5.1 and lib64lua5.1.  Again, the snippet ran without errors.

So, we are now in agreement.  Looks like MGA4-64-OK.
Comment 14 David Walser 2014-10-18 19:13:56 CEST
Fantastic.  Thanks Len.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK

Comment 15 olivier charles 2014-10-21 18:39:53 CEST
Testing on Mageia3-64 (real HW), following procedure from comment 5

Before :
------

- lua-5.1-5.1.5-2.1.mga3.x86_64
No error found in the interpreter with the snippet.


- lua-5.2.2-1.mga3.x86_64
Could reproduce the error :
*** Error in `lua5.2': malloc(): memory corruption: 0x0000000001780fa0 ***


After :
-----

Installing updates-testing :
- lib64lua5.1-5.1.5-2.2.mga3.x86_64
- lib64lua5.2-5.2.2-1.1.mga3.x86_64
- lua-5.2.2-1.1.mga3.x86_64
- lua5.1-5.1.5-2.2.mga3.x86_64

Ran the same test, no error found in lua5.1 and lua5.2

Mageia3-64 OK then

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 16 Rémi Verschelde 2014-10-23 11:07:56 CEST
Advisory uploaded. Validating update, please push lua5.1 and lua to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 17 Mageia Robot 2014-10-23 15:28:30 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0414.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.