[Bug 241652] Re: Some security problems (with fixes)
lua5.1 synced from Debian unstable, closing this bug report. ** Changed in: lua5.1 (Ubuntu Jaunty) Status: In Progress => Fix Released -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
bug 350420 is the Jaunty lua5.1 sync request. -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
Some of the bugs, e.g. 2 & 10, can cause DoS from correct application code, conceivably triggered by inputs from untrusted sources. But I agree the risk looks small. -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
After some discussion with other security folks, I've decided to not treat these bugfixes as security issues. Using lua on untrusted code would be considered a security issue in itself, but that would not be lua's fault. The bugs are only triggerable via untrusted code, so this is not likely to become a problem for lau itself. That said, once the Jaunty Beta Freeze has lifted, I will get lau5.1 5.1.4 synchronized from Debian. Thanks for all the feedback on this report! ** Changed in: lua5.1 (Ubuntu Dapper) Status: Triaged => Won't Fix ** Changed in: lua5.1 (Ubuntu Gutsy) Status: Triaged => Won't Fix ** Changed in: lua5.1 (Ubuntu Hardy) Status: Triaged => Won't Fix ** Changed in: lua5.1 (Ubuntu Intrepid) Status: Triaged => Won't Fix ** Changed in: lua5.1 (Ubuntu Jaunty) Status: Triaged => In Progress ** Changed in: lua5.1 (Ubuntu Jaunty) Milestone: None => ubuntu-9.04 -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
I'm sorry, I don't know what is exploitable by third parties. The obvious questions to ask include: what applications including Lua code take input which could trigger one of the bugs, of which a significant sub-question is: what applications take Lua code as input? Clearly in principle these bugs could be exploited; whether they can be exploited in any application shipped in Ubuntu is much more difficult to answer. Again, since Lua 5.1.4 is simply a bug-fix release for 5.1.3, which fixes the bugs mentioned on the bugs.html page, and only those bugs, the simplest and safest course of action seems to be to update to it. -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
If that's the case, I find the bugs.html url to be confusing. On a closer read, I do see the "Fixed in 5.1.4" notes on the bugs. Are any of the bugs exploitable by 3rd parties? ** Changed in: lua5.1 (Ubuntu) Importance: Medium => Low ** Changed in: lua5.1 (Ubuntu) Status: Fix Released => Triaged ** Also affects: lua5.1 (Ubuntu Intrepid) Importance: Undecided Status: New ** Also affects: lua5.1 (Ubuntu Jaunty) Importance: Low Assignee: Kees Cook (kees) Status: Triaged ** Changed in: lua5.1 (Ubuntu Intrepid) Importance: Undecided => Low ** Changed in: lua5.1 (Ubuntu Intrepid) Status: New => Triaged -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
The previous comment is incorrect. The bugs were fixed in Lua 5.1 5.1.4, which is not currently in Ubuntu. -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
These issues were all fixed in lua5.1 5.1.3 (which is in intrepid and jaunty). I've opened tasks for Dapper, Gutsy, and Hardy if someone wants to create backported patches. ** Changed in: lua5.1 (Ubuntu) Status: Incomplete => Confirmed ** Also affects: lua5.1 (Ubuntu Dapper) Importance: Undecided Status: New ** Also affects: lua5.1 (Ubuntu Gutsy) Importance: Undecided Status: New ** Also affects: lua5.1 (Ubuntu Hardy) Importance: Undecided Status: New ** Changed in: lua5.1 (Ubuntu) Status: Confirmed => Invalid ** Changed in: lua5.1 (Ubuntu Dapper) Importance: Undecided => Low ** Changed in: lua5.1 (Ubuntu Dapper) Status: New => Triaged ** Changed in: lua5.1 (Ubuntu Gutsy) Importance: Undecided => Low ** Changed in: lua5.1 (Ubuntu Gutsy) Status: New => Triaged ** Changed in: lua5.1 (Ubuntu Hardy) Importance: Undecided => Low ** Changed in: lua5.1 (Ubuntu Hardy) Status: New => Triaged ** Changed in: lua5.1 (Ubuntu) Status: Invalid => Fix Released -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
There were no CVEs. The security implications are as follows: http://www.lua.org/bugs.html under "5.1.3": * patch 2 fixes a potential stack overflow. * patch 4 fixes a crash (possible DoS for Lua-scripted applications that run user scripts) * patch 5 fixes a crash (ditto) * patch 6 fixes a stack overflow * patch 8 fixes the ability to create booleans that are neither true nor false These patches all affect the interpretation of Lua code; Lua is widely used in Ubuntu for application scripting. Hence, at the very least, a stack overflow is a potential security problem. Some of the other bugs patched may have security implications too, as they all allow incorrect execution of code. -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
Thanks for taking the time to report this bug and helping to make Ubuntu better. It's not clear to me what fixes were security-relevant. Were there CVEs issues for the lua fixes? ** Changed in: lua5.1 (Ubuntu) Importance: Undecided => Medium Assignee: (unassigned) => Kees Cook (kees) Status: New => Incomplete -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
** This bug has been flagged as a security issue -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 241652] Re: Some security problems (with fixes)
** Visibility changed to: Public ** This bug is no longer flagged as a security issue -- Some security problems (with fixes) https://bugs.launchpad.net/bugs/241652 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs