Comments (7)
Also, to be clear: Clink does not perform the vulnerable operation.
Malicious third party scripts might perform the vulnerable operation. But if you have malicious third party scripts running, then this vulnerability is pretty uninteresting since there are so many much worse things that malicious scripts can do.
In fact, I don't see any reason to even waste time fixing the CVE. Clink does not perform the vulnerable operation, so Clink by itself is not vulnerable.
The only way to become vulnerable would be to run a malicious script. And if a malicious script is somehow able to get run, then there's an infinite number of worse and more impactful things it can do simply by using Lua itself without exploiting any bugs.
This isn't even worth addressing as "defense in depth". Both "Security" and "Moderate" are misleading tags in this case.
from clink.
Thanks for the notification.
You can easily fix this vulnerability by referring to this patch.
No, the "easily" part is misleading, and I think it's based on an assumption without having looked at the 5.2 sources or the history between 5.2 and 5.4.
The vararg implementation in Lua was rewritten twice after 5.2.4 and before the commit that fixes the CVE:
- First rewrite: lua/lua@5c8770f
- Second rewrite: lua/lua@b137993
The cited patch relies on both of the rewrites (which look intertwined with other changes over time, as well).
from clink.
The issue is clearly not urgent, and I'll see about coming up with a fix over the next week or so.
from clink.
Thanks for the notification.
You can easily fix this vulnerability by referring to this patch.
No, the "easily" part is misleading, and I think it's based on an assumption without having looked at the 5.2 sources or the history between 5.2 and 5.4.
The vararg implementation in Lua was rewritten twice after 5.2.4 and before the commit that fixes the CVE:
- First rewrite: lua/lua@5c8770f
- Second rewrite: lua/lua@b137993
The cited patch relies on both of the rewrites (which look intertwined with other changes over time, as well).
Sorry for the late reply. I'm busy with searching for repos who have the same problem and try to fix them. One of my PR have been merged and I know quite well about this CVE right now.
Though this CVE barely affects clink, a fix for the potential negation overflow does no harm. If it's too busy for you to handle this, I'm glad to open a PR to fix it.
from clink.
For me the issue is the fix isn't a straight port, so I want to ensure the code is well understood (including by myself) and the fix is verifiable. Both that it solves the issue, and doesn't introduce regressions.
I agree there's no harm in fixing the issue even if it isn't a credible threat. But there would be harm in an incorrect fix, and so I don't want to accept a fix unless it either comes from the Lua org or is well understood by myself (because I'm responsible for the effects).
I partially understand the change, but not fully yet. I can't accept a PR until I sufficiently understand the surrounding code and the change.
from clink.
@chrisant996
I have some good news! The process of bringing this fix into Lua 5.2.4 based on a official source is a lot more straightforward then originally thought as Lua 5.3.6 (the very last release of Lua 5.3 which was also released in the same month as 5.4.1) actually includes a fix for this bug and funnily enough the implementation exactly matches the pull request linked to in this comment.
I ended up finding this out while comparing dates and doing diffs on releases of Lua, since minor releases/versions of Lua seem to be quite poorly documented as I'm not sure if changelogs even exist at all.
So in conclusion for a official version of a fix for this bug that's way easier to properly translate into Lua 5.2.4 simply do a diff of ldebug.c
between Lua 5.3.5 and Lua 5.3.6 or simply look at libretro/RetroArch#16190 since it ends up being identical,
And also the only difference between the area of code in Lua 5.2 and Lua 5.3 where the fix targets is cast_int
which was introduced in this commit during Lua 5.3's development: lua/lua@e723c75
Oh and also as a final extra note I guess the Lua 5.3 version of this fix doesn't show up in the Lua GitHub mirror since it only tracks the development branch the Lua 5.3 version of this fix appears in the Lua GitHub mirror under the v5.3
branch here (I just found this out): lua/lua@b5bc898
from clink.
@goodusername123 ah that's great, thanks! I'll take a look tonight and then merge it.
from clink.
Related Issues (20)
- how to use `os.setalias()` HOT 1
- How change shortcut for Popup Windows HOT 19
- prompt shows leftover text sometimes HOT 2
- Modify Heading HOT 5
- the new `os.setalias` ignore the flags and args HOT 1
- Where to define environment variables in CMD or Clink? HOT 2
- Question: Expanding environment variables during auto complete HOT 9
- some problems HOT 1
- No message print when an update is available HOT 2
- Show history filtered by the typed command HOT 4
- The installer is not copying any files to the newly created %LOCALAPPDAT%\clink directory HOT 3
- What's the diffs to https://github.com/mridgers/clink? HOT 2
- Request: CTRL+D to exit terminal. HOT 4
- How to stop colors? HOT 6
- Change color for cmd command? HOT 7
- things not working HOT 2
- Proper way to update via scoop or clink update? HOT 7
- The last character of a right-aligned prompt gets erased HOT 4
- Clink messes with git bash autocomplete HOT 2
- How to improve speed or make it faster? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clink.