Debian has issued advisories on September 1:
More details are in this thread:
According to the RedHat bug, it's already fixed in lua 5.2.3:
So Cauldron would just need a fix for lua5.1.
Mageia 3 and Mageia 4 would need fixes for lua and lua5.1.
lua5.0 may also be affected, but I'm not sure. Apparently there's a reproducer, so this could be checked.
Steps to Reproduce:
More info here: http://www.lua.org/bugs.html#5.2.2-1
Upstream claims it only affects lua since version 5.1, so I won't patch lua5.0.
I couldn't reproduce the issue on my 64bit machine and on a 64bit VM, I'll try 32bit.
Patched packages pushed for Mageia 3 and Mageia 4 (lua and lua5.1) and Cauldron (lua5.1). Will prepare an advisory.
MGA4TOO, MGA3TOO =>
I could reproduce the stack overflow on Mageia 3 32bit with lua 5.2 (not with lua5.1 though).
Updated lua and lua5.1 packages fix security vulnerability
A heap-based overflow vulnerability was found in the way Lua, a simple,
extensible, embeddable programming language, handles varargs functions with many
fixed parameters called with few arguments, leading to application crashes or,
potentially, arbitrary code execution.
RPMs in core/updates_testing
To try to reproduce the issue (note that it doesn't work on all machines), run "lua5.2" and copy paste the following snippet in the interpreter:
-- snippet begins
function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
f() -- crashes on some machines
-- snippet ends
If you see something like *** Error in `lua5.2': malloc(): memory corruption: 0x09a336a8 ***, then you've successfully reproduced the issue that the update candidate is meant to fix.
Follow the same procedure with "lua5.1" instead of lua5.2.
Just some minor advisory tweaks.
Updated lua and lua5.1 packages fix security vulnerability:
A heap-based overflow vulnerability was found in the way Lua handles varargs
functions with many fixed parameters called with few arguments, leading to
application crashes or, potentially, arbitrary code execution (CVE-2014-5461).
Tested on Mageia 3 i586 and Mageia 4 i586.
I could reproduce the issue with lua (lua 5.2) on Mageia 3 and Mageia 4.
I could not reproduce the issue with lua5.1 or lua5.0 on either.
After installing the updates, the snippet runs without issues.
MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK
Tested on Mageia 4 x86_64.
The malloc error occurred with lua5.1 (from updates testing).
No error with lua5.2 after updating.
Maybe I should go back and check lua5.1 before and after?
Len, did you also update liblua5.1?
Yes, and the devel lib.
I find that I cannot now revert without removing a cartload of other packages.
Since you were testing on x86_64, it would have been lib64lua5.1 actually, did you update that one?
You can revert the update, but you can't just uninstall these packages since they're required by stuff. You can either download the release versions and rpm -Uvh --force them, or use urpmi --downgrade lua5.1 lib64lua5.1.
Yes, it was the 64bit library. And thanks for the rpm tip.
When I have time I shall repeat the tests on another machine and record everything.
The downgrade option did the trick.
Disabled core updates testing and invoked lua5.1 explicitly. The snippet ran without any errors this time.
Enabled updates testing and upgraded lua5.1 and lib64lua5.1. Again, the snippet ran without errors.
So, we are now in agreement. Looks like MGA4-64-OK.
Fantastic. Thanks Len.
MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK
Testing on Mageia3-64 (real HW), following procedure from comment 5
No error found in the interpreter with the snippet.
Could reproduce the error :
*** Error in `lua5.2': malloc(): memory corruption: 0x0000000001780fa0 ***
Installing updates-testing :
Ran the same test, no error found in lua5.1 and lua5.2
Mageia3-64 OK then
MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Advisory uploaded. Validating update, please push lua5.1 and lua to 3 & 4 core/updates.
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisoryCC:
An update for this issue has been pushed to Mageia Updates repository.