Created attachment 12566
Patch to update the changelog

attachment patch2 ignored as obsolete

How will we handle this one in Gerrit? Are we gonna submit it in public with the "fix buffer overflow" comment, but only right before deployment?

(In reply to comment #2)

How will we handle this one in Gerrit? Are we gonna submit it in public with
the "fix buffer overflow" comment, but only right before deployment?

I know this was already answered on IRC, but for the record:

We're handling it like any other security update, if possible: deploy the fix, then put it in Gerrit afterwards. The bug also gets reassigned to the appropriate non-Security product when it's closed. I don't know if there will be a security announcement too or what. Coordinate with Chris on the details and timing of the making-public bits, of course.

i added myself to labs project "packaging", and used instance "php-packaging" since it appears in the wmf-build script from the luasandbox repo.

i applied the patch and build 1.7-1, then manually copied from the labs instance to brewster and imported with reprepro.

since the package is "ensure latest" in puppet, it then got auto-updated on the cluster hosts.

as of this writing i'ts now "ii php-luasandbox 1.7-1 " on all 217 mw* hosts.

test case as decribed in https://bugzilla.wikimedia.org/show_bug.cgi?id=49649 as far as i understand it should be this: http://en.wiktionary.org/w/index.php?title=User:Mutante/foo&action=history

and http://en.wiktionary.org/wiki/User:Mutante/foo did _not_ become uneditable. So that would be good, please confirm.

(In reply to comment #5)

and http://en.wiktionary.org/wiki/User:Mutante/foo did _not_ become
uneditable.
So that would be good, please confirm.

My tests work as well.

cool, claiming RESOLVED then.

This is not in gerrit yet, do we want to make it public now?

(In reply to comment #8)

This is not in gerrit yet, do we want to make it public now?

I'd say let's ask Chris.

The only other issue is if there are external users we would want to notify. I'm assuming that's not the case here (although Brad, let us know if you think otherwise), so I think we can release-- i.e., put the patch in gerrit and send a note to wikitech-l in case other people want to patch.

It's certainly possible that others have downloaded and installed luasandbox, we mention it on the extension page and people have filed bugs against it specifically.

Created attachment 13158
Rebased patch, and added one more check

It would be nice to get this released sometime soon. In the mean time, I rebased the patch and added an additional luaL_checkstack() call.

attachment diff ignored as obsolete

Created attachment 13159
And here's a version rebased on top of Gerrit change 63565

Also, since Gerrit change 63565 and this have conflicts, here's a version rebased on top of that change in case that gets merged first.

attachment diff2 ignored as obsolete

I'm planning to include this this with 1.21.2, currently scheduled for Aug 27th.

Created attachment 13226
Changelog for 1.7 and 1.8

attachment diff ignored as obsolete

This was assigned CVE-2013-4571

Created attachment 13795
Rebased patch

Attached: