translators-packages team mailing list archive
-
translators-packages team
-
Mailing list archive
-
Message #00248
[Bug 1362278] Re: Stack overflow in vararg functions with many fixed parameters called with few arguments
This bug was fixed in the package lua5.1 - 5.1.5-5ubuntu0.1
---------------
lua5.1 (5.1.5-5ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: possible code execution via overflow in vararg
functions (LP: #1362278)
- debian/patches/CVE-2014-5461.patch: properly calculate length in
src/ldo.c.
- CVE-2014-5461
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Tue, 02 Sep 2014 12:46:04 -0400
--
You received this bug notification because you are a member of
Translators Packages, which is subscribed to lua5.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1362278
Title:
Stack overflow in vararg functions with many fixed parameters called
with few arguments
Status in “lua5.1” package in Ubuntu:
Fix Released
Status in “lua5.2” package in Ubuntu:
Fix Released
Status in “lua5.1” source package in Precise:
Fix Released
Status in “lua5.2” source package in Precise:
Fix Released
Status in “lua5.1” source package in Trusty:
Fix Released
Status in “lua5.2” source package in Trusty:
Fix Released
Status in “lua5.1” source package in Utopic:
Fix Released
Status in “lua5.2” source package in Utopic:
Fix Released
Bug description:
See http://www.lua.org/bugs.html section 5.2.2 for details. Essentially:
Stack overflow in vararg functions with many fixed parameters called with few arguments.
reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.
Example:
function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
end
f() -- crashes on some machines
Patch:
ldo.c:
@@ -324,7 +324,7 @@
case LUA_TLCL: { /* Lua function: prepare its call */
StkId base;
Proto *p = clLvalue(func)->p;
- luaD_checkstack(L, p->maxstacksize);
+ luaD_checkstack(L, p->maxstacksize + p->numparams);
func = restorestack(L, funcr);
n = cast_int(L->top - func) - 1; /* number of real arguments */
for (; n < p->numparams; n++)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lua5.1/+bug/1362278/+subscriptions