Bug 1039249 - lua-5.3.2 is available
Summary: lua-5.3.2 is available
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: lua
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tim Niemueller
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-07 10:07 UTC by Upstream Release Monitoring
Modified: 2016-01-05 22:56 UTC (History)
4 users (show)

Fixed In Version: lua-5.3.2-2.fc23 lua-5.3.2-2.fc22
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-14 10:20:12 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
[patch] Update to 5.3.1 (#1039249) (982 bytes, text/x-diff)
2015-06-17 12:58 UTC, Upstream Release Monitoring
no flags Details

Description Upstream Release Monitoring 2013-12-07 10:07:13 UTC
Latest upstream release: 5.2.3
Current version/release in Fedora Rawhide: 5.2.2-5.fc21
URL: http://www.lua.org/ftp/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring

Comment 1 ell1e 2014-08-18 15:06:48 UTC
Lua 5.2.2 has various security issues, amongst them this one (from lua.orgs/bugs):

function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
           p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
           p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
           p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
           p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
  local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
end

f()   -- crashes on some machines

An update would be very desirable, especially considering this is unfixed in Fedora since almost a year(!) now.

A more general inquiry: is there a security update plan for Fedora regarding Lua bugs? (unrelated to regular Lua releases which are often issued only months after the bugs and their patches have been made public)

Waiting a year for the fix for publicly known interpreter crashes that produce an endless stream of GLIBC memory corruption warnings (sounds like possible code injection or other worse things might be possible?) seems quite undesirable.

Comment 2 ell1e 2014-08-18 15:08:03 UTC
(I forgot to mention this, the code above indeed crashes in Fedora's current Lua - and this bug has been known since April 2013 according to the Lua page, along with a bugfix/patch.)

Comment 3 Upstream Release Monitoring 2015-01-13 10:16:25 UTC
Latest upstream release: 5.3.0
Current version/release in Fedora Rawhide: 5.2.3-1.fc22
URL: http://www.lua.org/ftp/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy


More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring Soon this service will be implemented by a new system: https://release-monitoring.org/
It will require to manage monitored projects via a new web interface. Please make yourself familiar with the new system to ease the transition.

Comment 4 Upstream Release Monitoring 2015-02-21 21:29:16 UTC
till's lua-5.3.0-2.fc23 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=613727

Comment 5 Upstream Release Monitoring 2015-03-20 13:08:18 UTC
kalev's lua-5.3.0-3.fc23 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=621958

Comment 6 ell1e 2015-06-06 12:25:23 UTC
It has been almost a year now. If you forgot, this was originally labelled a security issue (CVE-2014-5461). Debian has fixed it in 2-3 days after I sent them an email about it, Ubuntu after a week.

Considering it's still not fixed in Fedora 21 (which hasn't reached End of Life, has it?), I'm very compelled to move on to some other distribution which takes security more seriously than just assigning a CVE number.

I know you fixed stuff like openssl's heartbleed pretty quick and of course this has less impact, but as a lua programmer this *is* impacting me, and especially compared to the other distributions I contacted about it (which all fixed it after a few DAYS) your reaction is somewhat disappointing.

Comment 7 Upstream Release Monitoring 2015-06-17 12:57:56 UTC
Latest upstream release: 5.3.1
Current version/release in rawhide: 5.3.0-3.fc23
URL: http://www.lua.org/ftp/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring

Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.

Comment 8 Upstream Release Monitoring 2015-06-17 12:58:10 UTC
Created attachment 1039928 [details]
[patch] Update to 5.3.1 (#1039249)

Comment 9 Upstream Release Monitoring 2015-12-02 00:41:36 UTC
Latest upstream release: 5.3.2
Current version/release in rawhide: 5.3.0-4.fc23
URL: http://www.lua.org/ftp/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring

Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.

Comment 10 Upstream Release Monitoring 2015-12-02 00:41:50 UTC
Failed to kick off scratch build.

spectool was unable to grab new sources

old source: lua-5.2.3.tar.gz
old sha256: 13c2fb97961381f7d06d5b5cea55b743c163800896fd5c5e2356201d3619002d

new source: ./lua-5.2.3.tar.gz
new sha256: 13c2fb97961381f7d06d5b5cea55b743c163800896fd5c5e2356201d3619002d

Comment 11 Upstream Release Monitoring 2015-12-11 05:55:13 UTC
fenris02's lua-5.3.2-1.fc24 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=704758

Comment 12 Upstream Release Monitoring 2015-12-11 19:11:16 UTC
spot's lua-5.3.2-2.fc24 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=704933

Comment 13 Fedora Update System 2015-12-11 19:18:39 UTC
lua-5.3.2-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-d68f8a1cba

Comment 14 Fedora Update System 2015-12-11 19:18:40 UTC
lua-5.3.2-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-5edf8033b3

Comment 15 Fedora Update System 2015-12-12 03:19:21 UTC
lua-5.3.2-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update lua'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-d68f8a1cba

Comment 16 Fedora Update System 2015-12-12 03:22:35 UTC
lua-5.3.2-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update lua'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-5edf8033b3

Comment 17 Fedora Update System 2015-12-14 10:20:04 UTC
lua-5.3.2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2016-01-05 22:55:58 UTC
lua-5.3.2-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.