Thank you Kim,
I hadn't actually closely looked at this code before. It's basically
using eval on code fetched over the wire, without even TLS to protect
against MITM attacks. I agree that this is a very serious vulnerability
(potentially a remote code execution exploit with all the permissions of
I suggest that ASAP we release a 0.61 release without the update check
feature, and try to reach people to disable the update check in the mean
time, until we can write a version that does not execute the fetched result.
Stephen E. Baker
On 6/17/2016 4:21 PM, Kim Alvefur wrote:
> I saw your LuaSocket bug, and had a look at the code linked.
> This caught my eye:
> It looks like it is downloading Lua code over HTTP and executing it.
> That's pretty bad, even if loaded into an empty environment, especially
> as it does not disallow bytecode.