Page MenuHomePhabricator
Create Task
Maniphest T72541

Upgrade Lua bundled binary for CVE-2014-5461
Closed, ResolvedPublic
Actions

Assigned To
dpatrick
Authored By
tstarling
Sep 8 2014, 12:26 AM
Tags
Referenced Files
F2974065: lua_x64.exe
Nov 19 2015, 2:24 AM
F2974072: lua-5.1.5.tar.gz
Nov 19 2015, 2:24 AM
F2974064: lua_x86.exe
Nov 19 2015, 2:24 AM
F2970207: lua
Nov 17 2015, 6:23 PM
F15276: lua_64
Nov 22 2014, 3:57 AM
F15275: lua_32
Nov 22 2014, 3:57 AM
Subscribers
Aklapper
csteipp
demon
Legoktm
siebrand
tstarling

Description

Brad did the last recompilation of the Lua binaries for Linux, on a system with an old libc, so maybe he could do this one too. It is a one line patch to fix a possible internal stack overflow:

--- lua5.1-5.1.5.orig/src/ldo.c	2012-01-17 21:27:10.000000000 -0500
+++ lua5.1-5.1.5/src/ldo.c	2014-09-02 12:01:46.575057692 -0400
@@ -274,7 +274,7 @@
     CallInfo *ci;
     StkId st, base;
     Proto *p = cl->p;
-    luaD_checkstack(L, p->maxstacksize);
+    luaD_checkstack(L, p->maxstacksize + p->numparams);
     func = restorestack(L, funcr);
     if (!p->is_vararg) {  /* no varargs? */
       base = func + 1;

There has not been an upstream release. It appears that luabinaries.sourceforge.net has not yet been updated, so we may need to compile our own Windows and Mac OS X binaries.

Details

Reference
bz70541
SubjectRepoBranchLines +/-
Update lua binaries to patch CVE-2014-5461mediawiki/extensions/Scribuntomaster+10 -8
Customize query in gerrit

Related Objects

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:57 AM
bzimport added a project: Security-Extensions.
bzimport set Reference to bz70541.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 3:57 AM
Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript
tstarling created this task.Sep 8 2014, 12:26 AM
Anomie added a comment.Sep 8 2014, 2:20 PM

(In reply to Tim Starling from comment #0)

Brad did the last recompilation of the Lua binaries for Linux, on a system
with an old libc, so maybe he could do this one too.

Doing it now.

For future reference (in case someday not-me needs to do this), the process is simple enough: download the CentOS 5 netinst CD images for i386 and x86_64, install each in appropriately-configred VMs, and then download the Lua 5.1 sources, patch, and compile.

Anomie added a comment.Sep 8 2014, 2:44 PM

Created attachment 16401
Lua 5.1.5 with patch, compiled on CentOS 5.10 32-bit

Attached:

lua_32167 KBDownload

Anomie added a comment.Sep 8 2014, 2:44 PM

Created attachment 16402
Lua 5.1.5 with patch, compiled on CentOS 5.10 64-bit

Attached:

lua_64190 KBDownload

csteipp added a comment.Oct 8 2014, 12:32 AM

Are these binaries public yet? I'm sending out an announcement for security updates to extensions soon, and it would be great to include this.

Anomie added a comment.Oct 8 2014, 1:48 PM

I think we're currently blocked on building similarly-patched binaries for Windows and OS X.

csteipp added a project: acl*security.Nov 24 2014, 9:27 PM
Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
dpatrick claimed this task.Aug 13 2015, 6:11 PM
dpatrick triaged this task as High priority.
dpatrick added a project: Security-Team.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 13 2015, 6:11 PM
csteipp added a project: Vuln-VulnComponent.Aug 20 2015, 9:25 PM
Anomie merged a task: Restricted Task.Oct 9 2015, 6:37 PM
Anomie added a project: Scribunto.
Anomie added a subscriber: siebrand.
dpatrick moved this task from Incoming to In Progress on the Security-Team board.Oct 13 2015, 11:58 PM
dpatrick added a comment.Nov 10 2015, 10:42 PM

@Anomie, @tstarling, have the binaries for Windows and OS X been built? Is this still relevant?

dpatrick moved this task from In Progress to Waiting on the Security-Team board.Nov 10 2015, 10:43 PM
dpatrick added a comment.Nov 10 2015, 11:13 PM

CVE Details indicates that the stack overflow is fixed as of Lua 5.2.3. Rather than building OS X and Windows binaries ourselves, can we upgrade the version of Lua bundled with Scribunto to 5.2.3 from luabinaries.sourceforge.net?

Anomie added a comment.Nov 10 2015, 11:50 PM
In T72541#1797879, @dpatrick wrote:

@Anomie, @tstarling, have the binaries for Windows and OS X been built?

Not that I know of.

Is this still relevant?

Probably.

In T72541#1797969, @dpatrick wrote:

CVE Details indicates that the stack overflow is fixed as of Lua 5.2.3. Rather than building OS X and Windows binaries ourselves, can we upgrade the version of Lua bundled with Scribunto to 5.2.3 from luabinaries.sourceforge.net?

I believe that would need a rewrite of the sandboxing for how the concept of environment changed between 5.1 and 5.2.

dpatrick added a comment.Nov 14 2015, 4:31 AM
In T72541#1798063, @Anomie wrote:
In T72541#1797969, @dpatrick wrote:

CVE Details indicates that the stack overflow is fixed as of Lua 5.2.3. Rather than building OS X and Windows binaries ourselves, can we upgrade the version of Lua bundled with Scribunto to 5.2.3 from luabinaries.sourceforge.net?

I believe that would need a rewrite of the sandboxing for how the concept of environment changed between 5.1 and 5.2.

Okay. Do you know of someone at the foundation or in the community who has previously built Windows and OS X binaries for distribution who might be able to patch and build 5.1.5 for us?

Anomie added a comment.Nov 14 2015, 12:59 PM
In T72541#1805293, @dpatrick wrote:

Do you know of someone at the foundation or in the community who has previously built Windows and OS X binaries for distribution who might be able to patch and build 5.1.5 for us?

The OS X binary was added in https://gerrit.wikimedia.org/r/#/c/9956/, so you might ask TheDJ if he built them himself or downloaded them somewhere. The Windows binaries were downloaded.

The build is (probably) simple enough if someone has access to a machine with the appropriate OS and a C compiler. See INSTALL in the Lua 5.1 sources.

  • On OS X you should be able to build with make macosx, although make generic might be better for us (see documentation in Scribunto's engines/LuaStandalone/binaries/ directory) and is probably what was used based on the directory name being "lua5_1_5_mac_lion_fat_generic". Chances are Lion or the next oldest OS version available would be most useful for the same reason we use CentOS 5 to build the Linux binaries.
  • As for Windows, the advice in INSTALL comes down to "load almost everything in one project and compile etc/all.c", and there's a script for Visual Studio .NET users (although I don't know whether that builds a standalone binary or a binary depending on a lua51.dll). Again, if applicable, it may be useful to depend on msvcr80.dll rather than a newer msvcr version.
dpatrick added a comment.Nov 16 2015, 7:23 PM

@Anomie, thanks. This is helpful.

In T72541#1805584, @Anomie wrote:
  • On OS X you should be able to build with make macosx, although make generic might be better for us (see documentation in Scribunto's engines/LuaStandalone/binaries/ directory) and is probably what was used based on the directory name being "lua5_1_5_mac_lion_fat_generic". Chances are Lion or the next oldest OS version available would be most useful for the same reason we use CentOS 5 to build the Linux binaries.

I think I have an old Mac mini with a fresh installation Lion or Mountain Lion. I'll try building it there.

  • As for Windows, the advice in INSTALL comes down to "load almost everything in one project and compile etc/all.c", and there's a script for Visual Studio .NET users (although I don't know whether that builds a standalone binary or a binary depending on a lua51.dll). Again, if applicable, it may be useful to depend on msvcr80.dll rather than a newer msvcr version.

I'll look into building this in a VM. I may have an XP or Vista VM with appropriate tools, and if not, may be able to build it in a trial version.

dpatrick added a comment.Nov 17 2015, 6:23 PM

Here is lua-5.1.5, patched, and built on OS X Lion:

lua196 KBDownload

This binary is linked exactly the same way as the version in git:

$ otool -L lua
lua:
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)
dpatrick added a comment.Nov 19 2015, 1:06 AM

Do we need to support XP here? We don't, do we, since Microsoft no longer officially supports it. My binaries don't work on XP for some reason.

dpatrick added a comment.Nov 19 2015, 2:24 AM

The attached Windows binaries have been verified to work on Windows 7, Windows Server 2008, and Windows Server 2012. MWServer was started with the following invocation:

C:\Path\To\Scribunto\engines\LuaStandalone> C:\Path\To\lua_x64.exe mw_main.lua C:\Path\To\Scribunto 1234

The binaries were built from the x86 and x64 developer command lines configured Visual Studio Community 2015. The binaries have not been linked against vcruntime140.dll (https://www.microsoft.com/en-us/download/details.aspx?id=40784). ListDLLs (https://technet.microsoft.com/en-us/sysinternals/bb896656.aspx) confirms this. However, I'd like to have these tested on Windows 8, 8.1, and 10 if possible (which I don't have access to), or at least have someone else verify that these work on the Windows Server versions I noted above.

Windows XP is not supported by these binaries.

lua_x86.exe400 KBDownload

lua_x64.exe472 KBDownload

The binaries were built from this patched source tree on Windows 7:

lua-5.1.5.tar.gz213 KBDownload

The following command was used:

Z:\workspace\lua-5.1.5\src> cl *.c -o lua.exe
dpatrick added a comment.EditedDec 8 2015, 11:04 PM

I did some additional testing, and these Windows binaries look seem to work fine. I verified that binary can run and execute basic lua code.

I tested lua_x86.exe on:
Windows 8 Enterprise x86
Windows 8.1 Enterprise x86
Windows 10 Enterprise x86

I tested lua_x64.exe on:
Windows 7 x64
Windows 8 Enterprise x64
Windows 8.1 Enterprise x64
Windows 10 Enterprise x64
Windows Server 2008 x64
Windows Server 2012 x64

I think we're good to release these now.

dpatrick moved this task from Waiting to In Progress on the Security-Team board.Feb 9 2016, 10:09 PM
csteipp added a subscriber: demon.Feb 11 2016, 6:22 PM

@dpatrick was going to test this one more time, then we should just get this out.

@demon, since lua isn't bundled, this is just push to gerrit, and announce on wikitech-l/mediawiki-l, right?

dpatrick added a comment.Feb 22 2016, 5:18 PM

These binaries have now been committed: https://gerrit.wikimedia.org/r/272496

Anomie closed this task as Resolved.Feb 22 2016, 5:49 PM

\o/

Legoktm subscribed.Jun 24 2017, 3:50 AM

This task is linked in https://phabricator.wikimedia.org/diffusion/ELUA/browse/master/engines/LuaStandalone/binaries/ but is still private. Is it OK to make public?

Anomie updated the task description. (Show Details)Jun 24 2017, 11:21 AM

I don't see any reason not to make it public.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 24 2017, 5:53 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".
Anomie mentioned this in T191737: Bundle Scribunto extension with MediaWiki.Apr 18 2018, 2:54 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:06 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL