oss-sec mailing list archives
Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions]
From: cve-assign () mitre org
Date: Wed, 27 Aug 2014 01:20:39 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://www.lua.org/bugs.html#5.2.2-1 Stack overflow in vararg functions with many fixed parameters called with few arguments.
Use CVE-2014-5461.
Lua has some sandboxing functionality, but it can be bypassed by supplying precompiled bytecode. There have been extensive discussions about this on the lua-users mailing list, e.g.: <http://lua-users.org/lists/lua-l/2011-10/msg01215.html>
We did not immediately find information to decide on the number of CVE IDs. Picking a few random frames from http://www.youtube.com/watch?v=OSMOTDLrBCQ suggested that approximately three CVE-2011-#### IDs could be assigned. If anyone has better information, or even the same information in a text format, that could be useful (if the CVE-2011-#### IDs are needed). - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT/WotAAoJEKllVAevmvmsIakH/00bWTQa336V/umZwZBZdlf1 hRxiiKg+ra2kDTHaZTqF/bz4j6LPrsYXD2antj9V2VoI3iMgxOemdajYC9Um3QDq x9ocSRDnxoxsMhvapO+2Y0DsnaHzWwj008mTB1Sl5OuEPTnNK3V4gRlMErZU4Mi/ meJqBDfh4XemDnQ+3TtAbf6FeY/eDTOIujf118uSDYdw77r7vig217X7rbH2BFAt 9QPjWylkGyXiX2P+C6k4TbSBLfMpyzHNBE9CTtrm7FV0wsjzll7F6ylpOaeS3VwH G5TRK4lZQqoRMauiERyaCZ2rJZGQKUyV2LPbtn7F5B7pjun1Hei8rv2fKoGPej4= =DZHj -----END PGP SIGNATURE-----
Current thread:
- CVE request: possible overflow in vararg functions Murray McAllister (Aug 20)
- Re: CVE request: possible overflow in vararg functions Murray McAllister (Aug 20)
- Lua CVE request [was Re: CVE request: possible overflow in vararg functions] Murray McAllister (Aug 20)
- Re: CVE request: possible overflow in vararg functions Florian Weimer (Aug 21)
- Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] cve-assign (Aug 25)
- Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] Florian Weimer (Aug 26)
- Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] cve-assign (Aug 26)
- Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] cve-assign (Aug 25)
- Re: CVE request: possible overflow in vararg functions Murray McAllister (Aug 20)