lua 5.1.5 CVEs

Peter Naulls peter at chocky.org
Tue Oct 25 16:05:40 PDT 2022


Lua 5.1.5 would appear to have CVEs below against it.

The patches to this in OpenWrt are significant, but dated, with the
last bug fix seeming to be from 2019, so it's hard to say if
these are addressed:

https://github.com/openwrt/openwrt/tree/openwrt-22.03/package/utils/lua/patches


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15888

https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7
https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5

I can't see that these have been applied - correct me here please.


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43519

This appears to be the fix:

https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15945

Fix here:

https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461

This is ancient, and may have long since been fixed, although
I can't find the exact patch.

This would be a good example where if the CVE patches had been
applied, naming them well would help.

The "better" fix would arguably to move to lua 5.3 or even 5.4, but
as I mentioned in an earlier post, I'm not sure if this is possible or
what it might break in luci.

Thanks!




More information about the openwrt-devel mailing list