lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On May 14, 2014, at 3:27 AM, steve donovan <steve.j.donovan@gmail.com> wrote:

> As for the original 'static linking is a security problem" theme, the
> reality is that Lua is not regarded as critical infrastructure for the
> Linux distros. So SSH fixes will get pushed up as emergencies, but not
> the Lua shared libraries - I think in debian we're still at Lua 5.2.0.

The shared library ABI is still at version "0", but the wheezy liblua5.2 package version is "5.2.1.3", which is built from Lua 5.2.1.

lua-expat looks like it was pushed into wheezy-security to fix XML entity expansion problems, which are particularly nasty denial of service attacks. I think services like Prosody could have written their own ad-hoc filters, but it was better to fix it in one spot. If there were security-sensitive bugs best fixed by a patch to liblua.so, I'd expect that to go to wheezy-security too.

What would such a bug look like, though? Perhaps a denial of service attack based on attempts to decode illegal UTF-8 sequences. One could and should patch all of the callpoints to detect such sequences; it's not the same as the expat situation. But software is brittle, and correct handling of UTF-8 is not easy to determine through local inspection. Debian might find it cost-effective to add a backstop to a hypothetical liblua.so to avoid spinning in C primitives.

This is strictly hypothetical, of course. :-)

Jay