translators-packages team mailing list archive

Thread
Date

[Bug 1362278] Re: Stack overflow in vararg functions with many fixed parameters called with few arguments

To: translators-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1362278@xxxxxxxxxxxxxxxxxx>
Date: Wed, 03 Sep 2014 13:22:08 -0000
Reply-to: Bug 1362278 <1362278@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package lua5.1 - 5.1.4-12ubuntu1.1

---------------
lua5.1 (5.1.4-12ubuntu1.1) precise-security; urgency=medium

  * SECURITY UPDATE: possible code execution via overflow in vararg
    functions (LP: #1362278)
    - debian/patches/CVE-2014-5461.patch: properly calculate length in
      src/ldo.c.
    - CVE-2014-5461
 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>   Tue, 02 Sep 2014 12:47:05 -0400

** Changed in: lua5.1 (Ubuntu Precise)
       Status: Confirmed => Fix Released

** Changed in: lua5.2 (Ubuntu Precise)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of
Translators Packages, which is subscribed to lua5.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1362278

Title:
  Stack overflow in vararg functions with many fixed parameters called
  with few arguments

Status in “lua5.1” package in Ubuntu:
  Fix Released
Status in “lua5.2” package in Ubuntu:
  Fix Released
Status in “lua5.1” source package in Precise:
  Fix Released
Status in “lua5.2” source package in Precise:
  Fix Released
Status in “lua5.1” source package in Trusty:
  Fix Released
Status in “lua5.2” source package in Trusty:
  Fix Released
Status in “lua5.1” source package in Utopic:
  Fix Released
Status in “lua5.2” source package in Utopic:
  Fix Released

Bug description:
  See http://www.lua.org/bugs.html section 5.2.2 for details. Essentially:
  Stack overflow in vararg functions with many fixed parameters called with few arguments.
  reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.

  Example:

  function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
             p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
             p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
             p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
             p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
    local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
  end

  f()   -- crashes on some machines

  Patch:

  ldo.c:
  @@ -324,7 +324,7 @@
       case LUA_TLCL: {  /* Lua function: prepare its call */
         StkId base;
         Proto *p = clLvalue(func)->p;
  -      luaD_checkstack(L, p->maxstacksize);
  +      luaD_checkstack(L, p->maxstacksize + p->numparams);
         func = restorestack(L, funcr);
         n = cast_int(L->top - func) - 1;  /* number of real arguments */
         for (; n < p->numparams; n++)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lua5.1/+bug/1362278/+subscriptions