oss-sec mailing list archives

Re: Lua 5.1.4

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 24 Mar 2009 18:10:02 -0400 (EDT)


Note that the typical CVE criterion for flagging language-interpreter bugs
is that they should be exploitable/reachable through the language API in
reasonable scenarios for the application.  Otherwise, it's the application
developer attacking himself/herself.  I know nothing about Lua so can't
interpret items like #6 and #8, whereas you could imagine malicious input
being processed by unpack().

- Steve

Current thread:

Lua 5.1.4 Kees Cook (Mar 24)
- Re: Lua 5.1.4 Steven M. Christey (Mar 24)
- Re: Lua 5.1.4 Florian Weimer (Mar 25)