lua 5.1.5 CVEs

Reuben Dowle reuben.dowle at 4rf.com
Tue Oct 25 17:45:41 PDT 2022 

I have run into these CVEs during an audit. I looked into the patches linked to them, and it seems that the ancient lua code for 5.1.5 was very different from the code where the patches are created against. When I attempted to manually make similar changes in the code, it seemed to me that the older lua code was probably not vulnerable in the same way. So in the end I just marked these CVEs as not applying to the version of LUA in use.

My opinion is that openwrt should try and move to a newer version of lua. This old 5.1.5 version appears to be unmaintained, and there does not seem to be the resources within the openwrt community to change that.


> -----Original Message-----
> From: openwrt-devel <openwrt-devel-bounces at lists.openwrt.org> On
> Behalf Of Peter Naulls
> Sent: Wednesday, 26 October 2022 12:06 pm
> To: OpenWrt Development List <openwrt-devel at lists.openwrt.org>
> Subject: lua 5.1.5 CVEs
> 
> 
> Lua 5.1.5 would appear to have CVEs below against it.
> 
> The patches to this in OpenWrt are significant, but dated, with the last bug fix
> seeming to be from 2019, so it's hard to say if these are addressed:
> 
> https://github.com/openwrt/openwrt/tree/openwrt-
> 22.03/package/utils/lua/patches
> 
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15888
> 
> https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900
> ce0b7
> https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76
> 217d5
> 
> I can't see that these have been applied - correct me here please.
> 
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43519
> 
> This appears to be the fix:
> 
> https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900
> ce0b7
> 
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15945
> 
> Fix here:
> 
> https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06
> db05e3
> 
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461
> 
> This is ancient, and may have long since been fixed, although I can't find the
> exact patch.
> 
> This would be a good example where if the CVE patches had been applied,
> naming them well would help.
> 
> The "better" fix would arguably to move to lua 5.3 or even 5.4, but as I
> mentioned in an earlier post, I'm not sure if this is possible or what it might
> break in luci.
> 
> Thanks!
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list