Some security problems (with fixes)

Thanks for taking the time to report this bug and helping to make Ubuntu better. It's not clear to me what fixes were security-relevant. Were there CVEs issues for the lua fixes?

There were no CVEs. The security implications are as follows:

http://www.lua.org/bugs.html under "5.1.3":

 * patch 2 fixes a potential stack overflow.
 * patch 4 fixes a crash (possible DoS for Lua-scripted applications that run user scripts)
 * patch 5 fixes a crash (ditto)
 * patch 6 fixes a stack overflow
 * patch 8 fixes the ability to create booleans that are neither true nor false

These patches all affect the interpretation of Lua code; Lua is widely used in Ubuntu for application scripting. Hence, at the very least, a stack overflow is a potential security problem. Some of the other bugs patched may have security implications too, as they all allow incorrect execution of code.

These issues were all fixed in lua5.1 5.1.3 (which is in intrepid and jaunty). I've opened tasks for Dapper, Gutsy, and Hardy if someone wants to create backported patches.

The previous comment is incorrect. The bugs were fixed in Lua 5.1 5.1.4, which is not currently in Ubuntu.

If that's the case, I find the bugs.html url to be confusing. On a closer read, I do see the "Fixed in 5.1.4" notes on the bugs. Are any of the bugs exploitable by 3rd parties?

I'm sorry, I don't know what is exploitable by third parties. The obvious questions to ask include: what applications including Lua code take input which could trigger one of the bugs, of which a significant sub-question is: what applications take Lua code as input?

Clearly in principle these bugs could be exploited; whether they can be exploited in any application shipped in Ubuntu is much more difficult to answer.

Again, since Lua 5.1.4 is simply a bug-fix release for 5.1.3, which fixes the bugs mentioned on the bugs.html page, and only those bugs, the simplest and safest course of action seems to be to update to it.

After some discussion with other security folks, I've decided to not treat these bugfixes as security issues. Using lua on untrusted code would be considered a security issue in itself, but that would not be lua's fault. The bugs are only triggerable via untrusted code, so this is not likely to become a problem for lau itself.

That said, once the Jaunty Beta Freeze has lifted, I will get lau5.1 5.1.4 synchronized from Debian. Thanks for all the feedback on this report!

Some of the bugs, e.g. 2 & 10, can cause DoS from correct application code, conceivably triggered by inputs from untrusted sources. But I agree the risk looks small.

bug 350420 is the Jaunty lua5.1 sync request.

lua5.1 synced from Debian unstable, closing this bug report.