Debian-LTS has issued an advisory on July 28: https://www.debian.org/lts/security/2020/dla-2296 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No obvious current maintainer, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Patched package uploaded for cauldron and Mageia 7. Advisory: ======================== Updated luajit package fixes security vulnerability: An issue has been found in luajit, a just in time compiler for Lua. An out-of-bounds read could happen because __gc handler frame traversal is mishandled (CVE-2020-15890). References: https://nvd.nist.gov/vuln/detail/CVE-2020-15890 https://www.debian.org/lts/security/2020/dla-2296 ======================== Updated packages in core/updates_testing: ======================== luajit-common-2.1.0-0.beta3.5.mga7.noarch.rpm lib64luajit5.1_2-2.1.0-0.beta3.5.mga7 lib64luajit5.1-devel-2.1.0-0.beta3.5.mga7 luajit-2.1.0-0.beta3.5.mga7 from luajit-2.1.0-0.beta3.5.mga7.src.rpm
CC: (none) => mramboAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
Taking a look at this tomorrow. The PoC at https://github.com/LuaJIT/LuaJIT/issues/601 does not work because function newproxy cannot be found. There is a note online about it being removed from lua5.2 onwards. Meaanwhile this system needs to be cleaned up: $ rpm -qa | grep lua lua5.3-5.3.5-2.mga7 lib64lua5.2-5.2.4-3.mga7 lib64lua5.3-devel-5.3.5-2.mga7 lib64luajit5.1_2-2.1.0-0.beta3.4.mga7 lua-5.2.4-3.mga7 lib64lua5.3-5.3.5-2.mga7 lua-posix-33.4.0-1.mga7 luajit-common-2.1.0-0.beta3.4.mga7 $ rpm -q luajit luajit-2.1.0-0.beta3.4.mga7 A bit of a mess.
CC: (none) => tarazed25
Following on from comment 3. Cleaning up was not very successful so I added the shebang line for lua5.1 at the start of the poc file and ran it again. The result was the same - newproxy not found. Abandoning this PoC. Example from the manual page: $ luajit -e "local x=0; for i=1,1e9 do x=x+i end; print(x)" 5.0000000006711e+17 Experimented to try to save the script as executable code but failed to understand the options required. $ luajit -b -n code -t obj -e "local x=0; for i=1,1e9 do x=x+i end; print(x)" whatever $ file whatever whatever: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped $ chmod +x whatever $ ./whatever bash: ./whatever: cannot execute binary file: Exec format error Just a chunk of binary code without any reference framework perhaps. It probably needs to be linked to something. Moving on. Updated the listed packages. Tried the example summation command from the man page: $ luajit -e "local x=0; for i=1,1e9 do x=x+i end; print(x)" 5.0000000006711e+17 The library is needed by various games, enlightenment, cantor, obs-studio, mpv and sysdig amongst others. Installed mpv $ strace -o mpv.trace mpv AidaGarafullina_CastaDiva.mp4 $ grep lua mpv.trace openat(AT_FDCWD, "/lib64/libluajit-5.1.so.2", O_RDONLY|O_CLOEXEC) = 3 No luck with the games. Installed cantor and attempted to plot a parabola but had no idea how to drive the interface. Ended up with a printout containing just text. The trace showed calls to luajit and the library. $ grep luajit cantor.trace openat(AT_FDCWD, "/lib64/libluajit-5.1.so.2", O_RDONLY|O_CLOEXEC) = 20 .... statx(AT_FDCWD, "/usr/bin/luajit", AT_STATX_SYNC_AS_STAT, STATX_ALL, {stx_mask=STATX_ALL, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=508720, ...}) = 0 access("/usr/bin/luajit", X_OK) = 0 This all looks OK.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0342.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED