[Bug 2177239] New: Lua scripts use an unsafe package path
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2177239
Bug ID: 2177239
Summary: Lua scripts use an unsafe package path
Product: Fedora
Version: 37
Status: NEW
Component: lua
Assignee: spotrh(a)gmail.com
Reporter: arstoffel(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: 4le(a)live.com, drjohnson1(a)gmail.com,
lua-packagers-sig(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, michel(a)michel-slm.name,
spotrh(a)gmail.com
Target Milestone: ---
Classification: Fedora
Description of problem:
By default, Lua allows loading code from the current directory, and Fedora
doesn't change this in packaged scripts installed in the system path. This has
security implications.
Steps to Reproduce:
1. Install any package that provides a #!/usr/bin/lua script, such as (but not
limited) to luarocks
2. In the terminal: echo 'os.execute("echo rm -rf /")' > lfs.lua; luarocks
--version
Actual results:
$ luarocks --version
rm -rf /
/usr/bin/lua: /usr/share/lua/5.4/luarocks/fs/lua.lua:299: attempt to index a
boolean value (upvalue 'lfs')
stack traceback:
/usr/share/lua/5.4/luarocks/fs/lua.lua:299: in function
'luarocks.fs.lua.current_dir'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/unix.lua:50: in function
'luarocks.fs.unix.absolute_name'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/linux.lua:8: in function
'luarocks.fs.linux.is_dir'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/lua.lua:193: in function
'luarocks.fs.lua.dir'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/lua.lua:177: in function
'luarocks.fs.lua.list_dir'
(...tail calls...)
/usr/share/lua/5.4/luarocks/fs/lua.lua:229: in function
'luarocks.fs.lua.modules'
(...tail calls...)
/usr/share/lua/5.4/luarocks/cmd.lua:511: in function
'luarocks.cmd.run_command'
/home/augusto/Projects/digestif/.luarocks/lib/luarocks/rocks-5.4/luarocks/3.9.2-1/bin/luarocks:35:
in main chunk
[C]: in ?
Expected results:
$ luarocks --version
/usr/bin/luarocks 3.9.1
LuaRocks main command-line interface
Additional info:
I'm using the following fix on a Lua program I maintain:
#!/usr/bin/env lua
-- Remove relative directories from package path
package.path = package.path:gsub("%f[^\0;]%.[^;]*", ""):gsub(";+",
";"):gsub("^;", ""):gsub(";$", "")
package.cpath = package.cpath:gsub("%f[^\0;]%.[^;]*", ""):gsub(";+",
";"):gsub("^;", ""):gsub(";$", "")
Fedora can probably do better and use hardcoded pacakge.path and cpath values,
since these are known in advance.
Scripts with the #!/usr/bin/texlua shebang also might be affected by this
issue. Since texlua provides an alternative method to find packages based on
kpathsea, something like this should be used as well:
os.setenv("TEXMFDOTDIR", "/dev/null")
However, this last modification will break programs that expect to find TeX
files in the current directory. I don't know of a more fine grained way that
would allow that but still exclude random Lua libraries from being found.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2177239
2 weeks, 3 days