[Translators-packages] [Bug 1362278] Re: Stack overflow in vararg functions with many fixed parameters called with few arguments

Wed, 03 Sep 2014 06:36:07 -0700 

This bug was fixed in the package lua5.2 - 5.2.0-2ubuntu0.1

---------------
lua5.2 (5.2.0-2ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: possible code execution via overflow in vararg
    functions (LP: #1362278)
    - debian/patches/CVE-2014-5461.patch: properly calculate length in
      src/ldo.c.
    - CVE-2014-5461
 -- Marc Deslauriers <[email protected]>   Wed, 03 Sep 2014 07:39:25 
-0400

** Changed in: lua5.1 (Ubuntu Trusty)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of
Translators Packages, which is subscribed to lua5.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1362278

Title:
  Stack overflow in vararg functions with many fixed parameters called
  with few arguments

Status in “lua5.1” package in Ubuntu:
  Fix Released
Status in “lua5.2” package in Ubuntu:
  Fix Released
Status in “lua5.1” source package in Precise:
  Fix Released
Status in “lua5.2” source package in Precise:
  Fix Released
Status in “lua5.1” source package in Trusty:
  Fix Released
Status in “lua5.2” source package in Trusty:
  Fix Released
Status in “lua5.1” source package in Utopic:
  Fix Released
Status in “lua5.2” source package in Utopic:
  Fix Released

Bug description:
  See http://www.lua.org/bugs.html section 5.2.2 for details. Essentially:
  Stack overflow in vararg functions with many fixed parameters called with few 
arguments.
  reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.

  Example:

  function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
             p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
             p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
             p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
             p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
    local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
  end

  f()   -- crashes on some machines

  Patch:

  ldo.c:
  @@ -324,7 +324,7 @@
       case LUA_TLCL: {  /* Lua function: prepare its call */
         StkId base;
         Proto *p = clLvalue(func)->p;
  -      luaD_checkstack(L, p->maxstacksize);
  +      luaD_checkstack(L, p->maxstacksize + p->numparams);
         func = restorestack(L, funcr);
         n = cast_int(L->top - func) - 1;  /* number of real arguments */
         for (; n < p->numparams; n++)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lua5.1/+bug/1362278/+subscriptions

-- 
Mailing list: https://launchpad.net/~translators-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~translators-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to