Bug 1174367 (CVE-2020-15888) - VUL-0: CVE-2020-15888: lua,lua51,lua53,lua54: mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free
Summary: VUL-0: CVE-2020-15888: lua,lua51,lua53,lua54: mishandles the interaction betw...
Status: RESOLVED FIXED
Alias: CVE-2020-15888
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/264073/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-15888:7.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-22 07:03 UTC by Wolfgang Frisch
Modified: 2024-07-26 10:00 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Wolfgang Frisch 2020-07-22 08:53:56 UTC 
SUSE:SLE-11:Update   lua       Affected [1]
SUSE:SLE-12:Update   lua       Not affected [2]
SUSE:SLE-12:Update   lua51     Not affected [2]
SUSE:SLE-15:Update   lua51     Not affected [2]
SUSE:SLE-15:Update   lua53     Not affected [2]
openSUSE:Factory     lua53     Not Affected [2]
openSUSE:Factory     lua54     Affected [3]

[1] ERROR: AddressSanitizer: heap-buffer-overflow
[2] Not reproducible.
[3] ERROR: AddressSanitizer: heap-use-after-free
Comment 2 Callum Farmer 2020-08-21 17:41:12 UTC 
Doing it now.
Comment 3 OBSbugzilla Bot 2020-08-21 19:10:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1174367) was mentioned in
https://build.opensuse.org/request/show/828560 Factory / lua54
Comment 4 Callum Farmer 2020-09-23 12:36:57 UTC 
COMPLETED
Comment 5 Wolfgang Frisch 2020-09-24 08:01:27 UTC 
SUSE:SLE-11:Update needs a fix as well.
Comment 6 Matej Cepl 2020-09-25 14:20:27 UTC 
(In reply to Wolfgang Frisch from comment #5)
> SUSE:SLE-11:Update needs a fix as well.

I have analysed the code, and it is my opinion that lua 5.1.4 is just too far from lua 5.4 for which this patch has been created (for example, luaD_call function has 12 LOC in 5.1.4, and 56 LOC in the master of https://git.io/JUa2h).

I suggested making this WONTFIX for SLE-11.
Comment 7 Simon Logan 2021-09-23 11:11:04 UTC 
At 2020-07-22 08:53:56 UTC @Wolfgang Frisch could not reproduce these issues with SUSE:SLE-15:Update.
Does this apply also to Leap 15.2 and 15.3?

Thanks,
Simon
Comment 8 Simon Logan 2021-11-12 12:06:50 UTC 
Hi Team, I see you've provided a fix for Tumbleweed.
Pease confirm whether you believe Leap 15.2 is unaffected.

Thanks,
Simon
Comment 9 Denver McCallen 2022-03-24 15:35:19 UTC 
Hi Team, I see that this issue was fixed in Tumbleweed and it is marked as unaffected in SLES 15 SP3.

Can you please confirm if Leap 15.3 is also unaffected?
Comment 11 Callum Farmer 2022-03-25 13:43:11 UTC 
Fixed in all current SUSE releases
Comment 12 Gianluca Gabrielli 2022-03-28 10:26:53 UTC 
Hi Callum,

May I ask why did you close this issue? SLE security-related issues have to be reassigned back to security-team@suse.de, we then proceed to monitor the submissions and close the issue. Moreover, I still don see the submission I requested in comment 10.
Comment 13 Callum Farmer 2022-03-28 12:26:58 UTC 
I can't see comment 10 (here or on email)
Comment 14 Matej Cepl 2022-06-24 10:03:58 UTC 
(In reply to Gianluca Gabrielli from comment #12)
> Moreover, I still don see the submission I requested in comment 10.

Read comment 6 again, please. It is not that I wouldn't bother with SLE-11, just that the underlying functions are not there.
Comment 20 Andrea Mattiazzo 2024-07-26 10:00:05 UTC 
All done, closing.