Page MenuHomePhabricator

Upgrade Lua bundled binary for CVE-2014-5461
Closed, ResolvedPublic

Description

Brad did the last recompilation of the Lua binaries for Linux, on a system with an old libc, so maybe he could do this one too. It is a one line patch to fix a possible internal stack overflow:

--- lua5.1-5.1.5.orig/src/ldo.c	2012-01-17 21:27:10.000000000 -0500
+++ lua5.1-5.1.5/src/ldo.c	2014-09-02 12:01:46.575057692 -0400
@@ -274,7 +274,7 @@
     CallInfo *ci;
     StkId st, base;
     Proto *p = cl->p;
-    luaD_checkstack(L, p->maxstacksize);
+    luaD_checkstack(L, p->maxstacksize + p->numparams);
     func = restorestack(L, funcr);
     if (!p->is_vararg) {  /* no varargs? */
       base = func + 1;

There has not been an upstream release. It appears that luabinaries.sourceforge.net has not yet been updated, so we may need to compile our own Windows and Mac OS X binaries.

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:57 AM
bzimport set Reference to bz70541.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 3:57 AM
Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript

(In reply to Tim Starling from comment #0)

Brad did the last recompilation of the Lua binaries for Linux, on a system
with an old libc, so maybe he could do this one too.

Doing it now.

For future reference (in case someday not-me needs to do this), the process is simple enough: download the CentOS 5 netinst CD images for i386 and x86_64, install each in appropriately-configred VMs, and then download the Lua 5.1 sources, patch, and compile.

Created attachment 16401
Lua 5.1.5 with patch, compiled on CentOS 5.10 32-bit

Attached:

Created attachment 16402
Lua 5.1.5 with patch, compiled on CentOS 5.10 64-bit

Attached:

Are these binaries public yet? I'm sending out an announcement for security updates to extensions soon, and it would be great to include this.

I think we're currently blocked on building similarly-patched binaries for Windows and OS X.

Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
dpatrick triaged this task as High priority.
dpatrick added a project: Security-Team.
Anomie added a subscriber: siebrand.

@Anomie, @tstarling, have the binaries for Windows and OS X been built? Is this still relevant?

CVE Details indicates that the stack overflow is fixed as of Lua 5.2.3. Rather than building OS X and Windows binaries ourselves, can we upgrade the version of Lua bundled with Scribunto to 5.2.3 from luabinaries.sourceforge.net?

@Anomie, @tstarling, have the binaries for Windows and OS X been built?

Not that I know of.

Is this still relevant?

Probably.

CVE Details indicates that the stack overflow is fixed as of Lua 5.2.3. Rather than building OS X and Windows binaries ourselves, can we upgrade the version of Lua bundled with Scribunto to 5.2.3 from luabinaries.sourceforge.net?

I believe that would need a rewrite of the sandboxing for how the concept of environment changed between 5.1 and 5.2.

CVE Details indicates that the stack overflow is fixed as of Lua 5.2.3. Rather than building OS X and Windows binaries ourselves, can we upgrade the version of Lua bundled with Scribunto to 5.2.3 from luabinaries.sourceforge.net?

I believe that would need a rewrite of the sandboxing for how the concept of environment changed between 5.1 and 5.2.

Okay. Do you know of someone at the foundation or in the community who has previously built Windows and OS X binaries for distribution who might be able to patch and build 5.1.5 for us?

Do you know of someone at the foundation or in the community who has previously built Windows and OS X binaries for distribution who might be able to patch and build 5.1.5 for us?

The OS X binary was added in https://gerrit.wikimedia.org/r/#/c/9956/, so you might ask TheDJ if he built them himself or downloaded them somewhere. The Windows binaries were downloaded.

The build is (probably) simple enough if someone has access to a machine with the appropriate OS and a C compiler. See INSTALL in the Lua 5.1 sources.

  • On OS X you should be able to build with make macosx, although make generic might be better for us (see documentation in Scribunto's engines/LuaStandalone/binaries/ directory) and is probably what was used based on the directory name being "lua5_1_5_mac_lion_fat_generic". Chances are Lion or the next oldest OS version available would be most useful for the same reason we use CentOS 5 to build the Linux binaries.
  • As for Windows, the advice in INSTALL comes down to "load almost everything in one project and compile etc/all.c", and there's a script for Visual Studio .NET users (although I don't know whether that builds a standalone binary or a binary depending on a lua51.dll). Again, if applicable, it may be useful to depend on msvcr80.dll rather than a newer msvcr version.

@Anomie, thanks. This is helpful.

  • On OS X you should be able to build with make macosx, although make generic might be better for us (see documentation in Scribunto's engines/LuaStandalone/binaries/ directory) and is probably what was used based on the directory name being "lua5_1_5_mac_lion_fat_generic". Chances are Lion or the next oldest OS version available would be most useful for the same reason we use CentOS 5 to build the Linux binaries.

I think I have an old Mac mini with a fresh installation Lion or Mountain Lion. I'll try building it there.

  • As for Windows, the advice in INSTALL comes down to "load almost everything in one project and compile etc/all.c", and there's a script for Visual Studio .NET users (although I don't know whether that builds a standalone binary or a binary depending on a lua51.dll). Again, if applicable, it may be useful to depend on msvcr80.dll rather than a newer msvcr version.

I'll look into building this in a VM. I may have an XP or Vista VM with appropriate tools, and if not, may be able to build it in a trial version.

Here is lua-5.1.5, patched, and built on OS X Lion:

This binary is linked exactly the same way as the version in git:

$ otool -L lua
lua:
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)

Do we need to support XP here? We don't, do we, since Microsoft no longer officially supports it. My binaries don't work on XP for some reason.

The attached Windows binaries have been verified to work on Windows 7, Windows Server 2008, and Windows Server 2012. MWServer was started with the following invocation:

C:\Path\To\Scribunto\engines\LuaStandalone> C:\Path\To\lua_x64.exe mw_main.lua C:\Path\To\Scribunto 1234

The binaries were built from the x86 and x64 developer command lines configured Visual Studio Community 2015. The binaries have not been linked against vcruntime140.dll (https://www.microsoft.com/en-us/download/details.aspx?id=40784). ListDLLs (https://technet.microsoft.com/en-us/sysinternals/bb896656.aspx) confirms this. However, I'd like to have these tested on Windows 8, 8.1, and 10 if possible (which I don't have access to), or at least have someone else verify that these work on the Windows Server versions I noted above.

Windows XP is not supported by these binaries.

The binaries were built from this patched source tree on Windows 7:

The following command was used:

Z:\workspace\lua-5.1.5\src> cl *.c -o lua.exe

I did some additional testing, and these Windows binaries look seem to work fine. I verified that binary can run and execute basic lua code.

I tested lua_x86.exe on:
Windows 8 Enterprise x86
Windows 8.1 Enterprise x86
Windows 10 Enterprise x86

I tested lua_x64.exe on:
Windows 7 x64
Windows 8 Enterprise x64
Windows 8.1 Enterprise x64
Windows 10 Enterprise x64
Windows Server 2008 x64
Windows Server 2012 x64

I think we're good to release these now.

@dpatrick was going to test this one more time, then we should just get this out.

@demon, since lua isn't bundled, this is just push to gerrit, and announce on wikitech-l/mediawiki-l, right?

I don't see any reason not to make it public.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 24 2017, 5:53 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".