oss-sec mailing list archives
Re: Lua 5.1.4
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 24 Mar 2009 18:10:02 -0400 (EDT)
Note that the typical CVE criterion for flagging language-interpreter bugs is that they should be exploitable/reachable through the language API in reasonable scenarios for the application. Otherwise, it's the application developer attacking himself/herself. I know nothing about Lua so can't interpret items like #6 and #8, whereas you could imagine malicious input being processed by unpack(). - Steve
Current thread:
- Lua 5.1.4 Kees Cook (Mar 24)
- Re: Lua 5.1.4 Steven M. Christey (Mar 24)
- Re: Lua 5.1.4 Florian Weimer (Mar 25)