FS#68703 - [lua51] CVE-2014-5461

Attached to Project: Arch Linux
Opened by Kekw (defty) - Sunday, 22 November 2020, 00:24 GMT
Last edited by Caleb Maclennan (alerque) - Wednesday, 20 September 2023, 06:41 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Caleb Maclennan (alerque)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.

This is patched in Debian and Gentoo. Seems to be unpatched in openSUSE Tumbleweed.

Here is the link: https://nvd.nist.gov/vuln/detail/CVE-2014-5461

diff --git a/src/ldo.c b/src/ldo.c
index d1bf786..d43f611 100644
--- a/src/ldo.c
+++ b/src/ldo.c
@@ -217,7 +217,7 @@ static StkId adjust_varargs (lua_State *L, Proto *p, int actual) {
int nvar = actual - nfixargs; /* number of extra arguments */
lua_assert(p->is_vararg & VARARG_HASARG);
luaC_checkGC(L);
- luaD_checkstack(L, p->maxstacksize);
+ luaD_checkstack(L, p->maxstacksize + p->numparams);
htab = luaH_new(L, nvar, 1); /* create `arg' table */
for (i=0; i<nvar; i++) /* put extra arguments into `arg' table */
setobj2n(L, luaH_setnum(L, htab, i+1), L->top - nvar + i);
This task depends upon

Closed by  Caleb Maclennan (alerque)
Wednesday, 20 September 2023, 06:41 GMT
Reason for closing:  Fixed
Additional comments about closing:  5.1.5-10 includes this patch
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...