[Bug 2064772] New: CVE-2021-44964 lua: use after free allows Sandbox Escape
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2064772
Bug ID: 2064772
Summary: CVE-2021-44964 lua: use after free allows Sandbox
Escape
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: pdelbell(a)redhat.com
CC: 4le(a)live.com, caswilli(a)redhat.com,
csutherl(a)redhat.com, drjohnson1(a)gmail.com,
fedora(a)famillecollet.com, fjansen(a)redhat.com,
gzaronik(a)redhat.com, hdegoede(a)redhat.com,
jburrell(a)redhat.com, jclere(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com,
lua-packagers-sig(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, michel(a)michel-slm.name,
moceap(a)hotmail.com, mschmidt(a)redhat.com,
mturk(a)redhat.com, packaging-team-maint(a)redhat.com,
pjindal(a)redhat.com, rob.myers(a)gtri.gatech.edu,
spotrh(a)gmail.com, szappis(a)redhat.com
Target Milestone: ---
Classification: Other
Use after free in garbage collector and finalizer of lgc.c in Lua interpreter
5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script
file.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44964
https://github.com/Lua-Project/lua-5.4.4-sandbox-escape-with-new-vulnerab...
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44964
http://lua-users.org/lists/lua-l/2021-12/msg00007.html
http://lua-users.org/lists/lua-l/2021-12/msg00015.html
http://lua-users.org/lists/lua-l/2021-12/msg00030.html
http://lua-users.org/lists/lua-l/2021-11/msg00186.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2064772
4 months, 3 weeks
[Bug 2047672] New: CVE-2021-43519 lua: stack overflow in lua_resume of ldo.c allows a DoS via a crafted script file
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2047672
Bug ID: 2047672
Summary: CVE-2021-43519 lua: stack overflow in lua_resume of
ldo.c allows a DoS via a crafted script file
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: 4le(a)live.com, bdettelb(a)redhat.com,
caswilli(a)redhat.com, csutherl(a)redhat.com,
drjohnson1(a)gmail.com, fjansen(a)redhat.com,
gzaronik(a)redhat.com, jburrell(a)redhat.com,
jclere(a)redhat.com, jwon(a)redhat.com,
kaycoth(a)redhat.com, krathod(a)redhat.com,
lua-packagers-sig(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, michel(a)michel-slm.name,
mturk(a)redhat.com, packaging-team-maint(a)redhat.com,
pjindal(a)redhat.com, rob.myers(a)gtri.gatech.edu,
spotrh(a)gmail.com, szappis(a)redhat.com,
tkasparek(a)redhat.com
Target Milestone: ---
Classification: Other
Stack overflow in lua_resume of ldo.c in Lua Interpreter allows attackers to
perform a Denial of Service via a crafted script file.
Reference:
http://lua-users.org/lists/lua-l/2021-11/msg00015.html
http://lua-users.org/lists/lua-l/2021-10/msg00123.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2047672
6 months, 2 weeks
[Bug 2111138] New: luac: free(): double free detected in tcache 2
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2111138
Bug ID: 2111138
Summary: luac: free(): double free detected in tcache 2
Product: Fedora
Version: 36
Status: NEW
Component: lua
Assignee: spotrh(a)gmail.com
Reporter: cra(a)fea.st
QA Contact: extras-qa(a)fedoraproject.org
CC: 4le(a)live.com, drjohnson1(a)gmail.com,
lua-packagers-sig(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, michel(a)michel-slm.name,
rob.myers(a)gtri.gatech.edu, spotrh(a)gmail.com
Target Milestone: ---
Classification: Fedora
Created attachment 1899463
--> https://bugzilla.redhat.com/attachment.cgi?id=1899463&action=edit
proposed fix for luac double free
Description of problem:
luac crashes with a double free when building lsyncd on f36 on armv7hl.
Strangely, it builds fine on f37 and on other f36 arches.
Version-Release number of selected component (if applicable):
lua-5.4.4-1.fc36
How reproducible:
always
Steps to Reproduce:
1. fedpkg clone lsyncd
2. fedpkg switch-branch f36
3. fedpkg scratch-build
Actual results:
https://koji.fedoraproject.org/koji/taskinfo?taskID=90077485
Building target platforms: armv7hl
Building for target armv7hl
...
gmake[2]: Entering directory
'/builddir/build/BUILD/lsyncd-2.3.0/redhat-linux-build'
/usr/bin/cmake -E create_symlink /builddir/build/BUILD/lsyncd-2.3.0/tests tests
Compiling built-in runner
Compiling built-in default configs
/usr/bin/luac -o defaults.out /builddir/build/BUILD/lsyncd-2.3.0/default.lua
/builddir/build/BUILD/lsyncd-2.3.0/default-rsync.lua
/builddir/build/BUILD/lsyncd-2.3.0/default-rsyncssh.lua
/builddir/build/BUILD/lsyncd-2.3.0/default-direct.lua
/usr/bin/luac -o runner.out /builddir/build/BUILD/lsyncd-2.3.0/lsyncd.lua
free(): double free detected in tcache 2
gmake[2]: Leaving directory
'/builddir/build/BUILD/lsyncd-2.3.0/redhat-linux-build'
[ 22%] Built target prepare_tests
[ 33%] Generating runner.c
/usr/bin/cmake -E echo Generating\ built-in\ runner\ linkable
Generating built-in runner linkable
/usr/bin/lua /builddir/build/BUILD/lsyncd-2.3.0/bin2carray.lua runner.out
runner runner.c
gmake[2]: *** [CMakeFiles/lsyncd.dir/build.make:96: defaults.out] Aborted (core
dumped)
gmake[2]: *** Deleting file 'defaults.out'
gmake[2]: Leaving directory
'/builddir/build/BUILD/lsyncd-2.3.0/redhat-linux-build'
gmake[1]: Leaving directory
'/builddir/build/BUILD/lsyncd-2.3.0/redhat-linux-build'
gmake[1]: *** [CMakeFiles/Makefile2:194: CMakeFiles/lsyncd.dir/all] Error 2
gmake: *** [Makefile:139: all] Error 2
Expected results:
No crash
Additional info:
Upstream mailing list proposes this fix which I've attached as a patch:
http://lua-users.org/lists/lua-l/2022-02/msg00113.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2111138
8 months, 3 weeks