Bug 1123043 - (CVE-2019-6706) VUL-0: CVE-2019-6706: lua53: lua use-after-free in lua_upvaluejoin in lapi.c
(CVE-2019-6706)
VUL-0: CVE-2019-6706: lua53: lua use-after-free in lua_upvaluejoin in lapi.c
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/223610/
CVSSv3:SUSE:CVE-2019-6706:5.5:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-24 12:47 UTC by Alexandros Toptsoglou
Modified: 2021-06-09 22:05 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-01-24 12:47:14 UTC
Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a
crash outcome might be achieved by an attacker who is able to trigger a
debug.upvaluejoin call in which the arguments have certain relationships.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1669031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6706
http://www.cvedetails.com/cve/CVE-2019-6706/
http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
Comment 1 Alexandros Toptsoglou 2019-01-24 12:54:38 UTC
For this bug only instances of lua 5.3.X are affected. I tried to run the POC  with the rest versions that we support (5.1.X and 5.2.X) but no crash occurred. Thus only package lua53 is affected in SLE15. 
More information regarding the fix, the POC and the bug can be found at [1]. 

[1] http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html
Comment 3 Matej Cepl 2019-01-25 12:29:11 UTC
Just to add that vulnerability of this bug should be reevaluated. I have made a fix already and I discuss it upstream (http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html), but it seems like this is mostly theoretical attack, and besides if somebody has an access to the debug interface, all is lost anyway.
Comment 4 Swamp Workflow Management 2019-02-06 14:12:43 UTC
SUSE-SU-2019:0247-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1123043
CVE References: CVE-2019-6706
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    lua53-5.3.4-3.3.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    lua53-5.3.4-3.3.2
Comment 5 Swamp Workflow Management 2019-02-14 14:13:12 UTC
openSUSE-SU-2019:0175-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1123043
CVE References: CVE-2019-6706
Sources used:
openSUSE Leap 15.0 (src):    lua53-5.3.4-lp150.2.3.1
Comment 7 Alexandros Toptsoglou 2020-04-29 11:46:14 UTC
Done