Fedora has issued an advisory on August 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QXYMCIUNGK26VHAYHGP5LPW56G2KWOHQ/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
'lua' has no constant maintainer, so having to assign this bug globally.
Assignee: bugsquad => pkg-bugs
Lua 5.1 does not contain the problematic code.
CC: (none) => nicolas.salgueroSource RPM: lua-5.2.4-6.mga8.src.rpm, lua5.1-5.1.5-15.mga8.src.rpm, lua5.3-5.3.5-4.mga8.src.rpm => lua-5.2.4-6.mga8.src.rpm, lua5.3-5.3.5-4.mga8.src.rpm
Suggested advisory: ======================== The updated packages fix a security vulnerability: ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31). (CVE-2020-24370) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24370 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QXYMCIUNGK26VHAYHGP5LPW56G2KWOHQ/ ======================== Updated packages in core/updates_testing: ======================== lua-5.2.4-3.1.mga7 lib(64)lua5.2-5.2.4-3.1.mga7 lib(64)lua-devel-5.2.4-3.1.mga7 lib(64)lua-static-devel-5.2.4-3.1.mga7 lua5.3-5.3.5-2.1.mga7 lib(64)lua5.3-5.3.5-2.1.mga7 lib(64)lua5.3-devel-5.3.5-2.1.mga7 lib(64)lua5.3-static-devel-5.3.5-2.1.mga7 from SRPMS: lua-5.2.4-3.1.mga7.src.rpm lua5.3-5.3.5-2.1.mga7.src.rpm
CVE: (none) => CVE-2020-24370Whiteboard: MGA7TOO => (none)Source RPM: lua-5.2.4-6.mga8.src.rpm, lua5.3-5.3.5-4.mga8.src.rpm => lua-5.2.4-3.mga7.src.rpm, lua5.3-5.3.5-2.mga7.src.rpmAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 7
Before updates: lua5.3-5.3.5-2.mga7 lib64lua5.2-5.2.4-3.mga7 lib64lua-devel-5.2.4-3.mga7 lua-5.2.4-3.mga7 lib64lua5.1-5.1.5-13.mga7 lib64texlua5-20180414-12.mga7 lib64lua-static-devel-5.2.4-3.mga7 lib64lua5.3-5.3.5-2.mga7 lua5.1-5.1.5-13.mga7 lua-posix-33.4.0-1.mga7 CVE-2020-24370 PoC http://lua-users.org/lists/lua-l/2020-07/msg00324.html $ lua Lua 5.3.5 Copyright (C) 1994-2018 Lua.org, PUC-Rio > firsttime = >> >> true function foo() if firsttime then do print(debug.getlocal(3, 2 ^ 31)) >> >> end end end print(load(foo)) Segmentation fault (core dumped) Updating did not run smoothly because of package version conflicts. After updates: lib64lua-static-devel-5.2.4-3.1.mga7 lib64lua5.2-5.2.4-3.1.mga7 lua-5.2.4-3.1.mga7 lua5.3-5.3.5-2.1.mga7 lib64lua5.3-5.3.5-2.1.mga7 lib64lua5.1-5.1.5-13.mga7 lib64texlua5-20180414-12.mga7 lib64lua-devel-5.2.4-3.1.mga7 lua5.1-5.1.5-13.mga7 lua-posix-33.4.0-1.mga7 Removed lua5.1 because there was nothing inthe whatrequires list which looked important. The PoC returned a good result. $ lua Lua 5.3.5 Copyright (C) 1994-2018 Lua.org, PUC-Rio > firsttime = >> >> true function foo() if firsttime then do print(debug.getlocal(3, 2 ^ 31)) >> >> end end end print(load(foo)) nil function: 0xc07e90 > Ctrl-D $ $ ll /etc/alternatives/lua lrwxrwxrwx 1 root root 15 Sep 3 12:18 /etc/alternatives/lua -> /usr/bin/lua5.3* Commandline execution: $ lua -e "local x=0; for i=1,1e9 do x=x+i end; print(x)" 500000000500000000 $ lua5.2 -e "local x=0; for i=1,1e9 do x=x+i end; print(x)" 5.0000000006711e+17 liblua5.3 is listed as required by apache, conky, celestia, darktable, gnuplot, podofo, rpm, neovim ..... $ strace -o celestia.trace celestia <celestia functioning normally> $ grep lua celestia.trace openat(AT_FDCWD, "/lib64/liblua.so.5.3", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/liblua.so.5.3", O_RDONLY) = 13 openat(AT_FDCWD, "/usr/lib64/liblua.so.5.3", O_RDONLY) = 21 Reckon this is good enough for an OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating, Advisory and packages in Comment 3.
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0362.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED