lua 5.1.5 CVEs
Peter Naulls
peter at chocky.org
Tue Oct 25 16:05:40 PDT 2022
Lua 5.1.5 would appear to have CVEs below against it.
The patches to this in OpenWrt are significant, but dated, with the
last bug fix seeming to be from 2019, so it's hard to say if
these are addressed:
https://github.com/openwrt/openwrt/tree/openwrt-22.03/package/utils/lua/patches
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15888
https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7
https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5
I can't see that these have been applied - correct me here please.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43519
This appears to be the fix:
https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15945
Fix here:
https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461
This is ancient, and may have long since been fixed, although
I can't find the exact patch.
This would be a good example where if the CVE patches had been
applied, naming them well would help.
The "better" fix would arguably to move to lua 5.3 or even 5.4, but
as I mentioned in an earlier post, I'm not sure if this is possible or
what it might break in luci.
Thanks!
More information about the openwrt-devel
mailing list