Re: CorsixTH issue

Skip to first unread message

Stephen E. Baker

Jun 17, 2016, 4:49:49 PM6/17/16
to Kim Alvefur,
Thank you Kim,

I hadn't actually closely looked at this code before. It's basically
using eval on code fetched over the wire, without even TLS to protect
against MITM attacks. I agree that this is a very serious vulnerability
(potentially a remote code execution exploit with all the permissions of
the user).

I suggest that ASAP we release a 0.61 release without the update check
feature, and try to reach people to disable the update check in the mean
time, until we can write a version that does not execute the fetched result.

Stephen E. Baker

On 6/17/2016 4:21 PM, Kim Alvefur wrote:
> Hi!
> I saw your LuaSocket bug, and had a look at the code linked.
> This caught my eye:
> It looks like it is downloading Lua code over HTTP and executing it.
> That's pretty bad, even if loaded into an empty environment, especially
> as it does not disallow bytecode.

Edwin Smulders

Jun 17, 2016, 4:53:34 PM6/17/16
to, Kim Alvefur
Hi Stephen,

How do you imagine an updater working if you do not execute anything it downloads?
I suggest a proper TLS connection and perhaps even signing the code it downloads.


You received this message because you are subscribed to the Google Groups "CorsixTH Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
For more options, visit

Stephen E. Baker

Jun 17, 2016, 5:38:33 PM6/17/16

It just sends a version number, link, and change log. We can pull that info out by reading the string. Even simpler if instead of a table we used a delimited file like:
0.60\n list of changes.

The download link itself should be tls. I don't see the value in sending it over the wire myself. As is it just redirects to

Edwin Smulders

Jun 17, 2016, 5:45:23 PM6/17/16
Yep, I agree. For the rest of the people (Stephen just explained this to me on IRC) the current approach downloads a lua table containing some version information and evals it. I was under the impression it downloaded the update, so my bad there.

I think it's fine that the download link is embedded in the application. The update check might still go over TLS because let's encrypt is easy and free these days, but not really important for just the check.
Reply all
Reply to author
0 new messages