[Bug 2177239] New: Lua scripts use an unsafe package path
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2177239
Bug ID: 2177239
Summary: Lua scripts use an unsafe package path
Product: Fedora
Version: 37
Status: NEW
Component: lua
Assignee: spotrh(a)gmail.com
Reporter: arstoffel(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: 4le(a)live.com, drjohnson1(a)gmail.com,
lua-packagers-sig(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, michel(a)michel-slm.name,
spotrh(a)gmail.com
Target Milestone: ---
Classification: Fedora
Description of problem:
By default, Lua allows loading code from the current directory, and Fedora
doesn't change this in packaged scripts installed in the system path. This has
security implications.
Steps to Reproduce:
1. Install any package that provides a #!/usr/bin/lua script, such as (but not
limited) to luarocks
2. In the terminal: echo 'os.execute("echo rm -rf /")' > lfs.lua; luarocks
--version
Actual results:
$ luarocks --version
rm -rf /
/usr/bin/lua: /usr/share/lua/5.4/luarocks/fs/lua.lua:299: attempt to index a
boolean value (upvalue 'lfs')
stack traceback:
/usr/share/lua/5.4/luarocks/fs/lua.lua:299: in function
'luarocks.fs.lua.current_dir'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/unix.lua:50: in function
'luarocks.fs.unix.absolute_name'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/linux.lua:8: in function
'luarocks.fs.linux.is_dir'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/lua.lua:193: in function
'luarocks.fs.lua.dir'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/lua.lua:177: in function
'luarocks.fs.lua.list_dir'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/lua.lua:229: in function
'luarocks.fs.lua.modules'
(...tail calls...)
/usr/share/lua/5.4/luarocks/cmd.lua:511: in function
'luarocks.cmd.run_command'
/home/augusto/Projects/digestif/.luarocks/lib/luarocks/rocks-5.4/luarocks/3.9.2-1/bin/luarocks:35:
in main chunk
[C]: in ?
Expected results:
$ luarocks --version
/usr/bin/luarocks 3.9.1
LuaRocks main command-line interface
Additional info:
I'm using the following fix on a Lua program I maintain:
#!/usr/bin/env lua
-- Remove relative directories from package path
package.path = package.path:gsub("%f[^\0;]%.[^;]*", ""):gsub(";+",
";"):gsub("^;", ""):gsub(";$", "")
package.cpath = package.cpath:gsub("%f[^\0;]%.[^;]*", ""):gsub(";+",
";"):gsub("^;", ""):gsub(";$", "")
Fedora can probably do better and use hardcoded pacakge.path and cpath values,
since these are known in advance.
Scripts with the #!/usr/bin/texlua shebang also might be affected by this
issue. Since texlua provides an alternative method to find packages based on
kpathsea, something like this should be used as well:
os.setenv("TEXMFDOTDIR", "/dev/null")
However, this last modification will break programs that expect to find TeX
files in the current directory. I don't know of a more fine grained way that
would allow that but still exclude random Lua libraries from being found.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2177239
2 months, 2 weeks
[Bug 2192164] New: luarocks-3.9.1 installs to /usr/lib instead of /usr/lib64
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2192164
Bug ID: 2192164
Summary: luarocks-3.9.1 installs to /usr/lib instead of
/usr/lib64
Product: Fedora
Version: rawhide
Status: NEW
Component: luarocks
Assignee: michel(a)michel-slm.name
Reporter: ferdnyc(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
ktdreyer(a)ktdreyer.com,
lua-packagers-sig(a)lists.fedoraproject.org,
michel(a)michel-slm.name
Target Milestone: ---
Classification: Fedora
Description of problem:
I messed up.
As I detail at the end of this Fedora Discussions thread[1], when I submitted
the PR for the luarocks-3.9.1 update, I mistakenly dropped the Fedora patch
that was correcting the default arch-specific library install dir to /usr/lib64
instead of /usr/lib.
So, without that patch, luarocks installs to the wrong library directory.
[1]:
https://discussion.fedoraproject.org/t/luarocks-does-not-install-into-lib...
Version-Release number of selected component (if applicable):
luarocks-3.9.1-1.fc39 (luarocks on f38 and f37 is also affected; possibly EPEL
as well)
How reproducible:
100%
Steps to Reproduce:
1. `sudo luarocks --global install LuaFileSystem`
2. `ls /usr/lib64/lua/5.4/lfs.so`
3. `ls /usr/lib/lua/5.4/lfs.so`
Actual results:
2: ls: cannot access '/usr/lib64/lua/5.4/lfs.so': No such file or directory
3: /usr/lib/lua/5.4/lfs.so
Expected results:
2: /usr/lib64/lua/5.4/lfs.so
3: ls: cannot access '/usr/lib/lua/5.4/lfs.so': No such file or directory
Additional info:
I've already submitted a PR [2] to correct this on rawhide. I'll be happy to
submit backport PRs for f38 and f37 as well, if need be. Any chance we could
get new builds, to correct this unfortunate screw-up on my part?
(I'll even add in an update to luarocks-3.9.2, since that's been released now,
so we kill two birds with one bodhi update.)
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2192164
10 months, 1 week
[Bug 2167829] New: [RFE: EPEL9] EPEL9 branch for luarocks
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2167829
Bug ID: 2167829
Summary: [RFE: EPEL9] EPEL9 branch for luarocks
Product: Fedora EPEL
Version: epel9
Status: NEW
Component: luarocks
Assignee: michel(a)michel-slm.name
Reporter: riehecky(a)fnal.gov
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
ktdreyer(a)ktdreyer.com,
lua-packagers-sig(a)lists.fedoraproject.org,
michel(a)michel-slm.name
Target Milestone: ---
Classification: Fedora
Description of problem:
Can luarocks be branched for EPEL9?
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2167829
10 months, 2 weeks
[Bug 2064772] New: CVE-2021-44964 lua: use after free allows Sandbox Escape
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2064772
Bug ID: 2064772
Summary: CVE-2021-44964 lua: use after free allows Sandbox
Escape
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: pdelbell(a)redhat.com
CC: 4le(a)live.com, caswilli(a)redhat.com,
csutherl(a)redhat.com, drjohnson1(a)gmail.com,
fedora(a)famillecollet.com, fjansen(a)redhat.com,
gzaronik(a)redhat.com, hdegoede(a)redhat.com,
jburrell(a)redhat.com, jclere(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com,
lua-packagers-sig(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, michel(a)michel-slm.name,
moceap(a)hotmail.com, mschmidt(a)redhat.com,
mturk(a)redhat.com, packaging-team-maint(a)redhat.com,
pjindal(a)redhat.com, rob.myers(a)gtri.gatech.edu,
spotrh(a)gmail.com, szappis(a)redhat.com
Target Milestone: ---
Classification: Other
Use after free in garbage collector and finalizer of lgc.c in Lua interpreter
5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script
file.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44964
https://github.com/Lua-Project/lua-5.4.4-sandbox-escape-with-new-vulnerab...
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44964
http://lua-users.org/lists/lua-l/2021-12/msg00007.html
http://lua-users.org/lists/lua-l/2021-12/msg00015.html
http://lua-users.org/lists/lua-l/2021-12/msg00030.html
http://lua-users.org/lists/lua-l/2021-11/msg00186.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2064772
10 months, 3 weeks