lua 5.1.5 CVEs / lua 5.3 with luci

Peter Naulls peter at chocky.org
Wed Oct 26 06:39:50 PDT 2022 

On 10/25/22 20:45, Reuben Dowle wrote:

> 
> My opinion is that openwrt should try and move to a newer version of lua. This 
> old 5.1.5 version appears to be unmaintained, and there does not seem to be the 
> resources within the openwrt community to change that.

So I naively adjusted the lua5.3 package to add PROVIDES for lua and liblua
and symlinked the /usr/bin/lua5.3 binary to /usr/bin/lua.

In some very superficial testing, skimming through pages, luci
almost works correctly. What I do see on all pages, is this:

RPCError: RPC call to luci/getFeatures failed with error -32000: Object not found
   at handleCallReply 
(http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:82:7)
   at promise callback*parseCallReply 
(http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:66:5)
   at promise callback*call 
(http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:41:6)
   at declare/</< 
(http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:342:9)
   at declare/< (http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:302:11)
   at probeSystemFeatures 
(http://192.168.113.1/luci-static/resources/luci.js?v=unknown:2588:7)
   at setupDOM 
(http://192.168.113.1/luci-static/resources/luci.js?v=unknown:2737:10)
   at promise callback*__init__ 
(http://192.168.113.1/luci-static/resources/luci.js?v=unknown:2254:7)
   at ClassConstructor 
(http://192.168.113.1/luci-static/resources/luci.js?v=unknown:104:20)

Just bear in mind that although this is 22.03, I have some heavyish changes to 
customize luci too. I don't know this particular code, but I can't imagine it 
being hard to fix.

There's some additional similar errors on other pages.

Switch config:

RPCError: RPC call to luci/getSwconfigFeatures failed with error -32000: Object 
not found


Firewall:

RPCError: RPC call to luci/getConntrackHelpers failed with error -32000: Object 
not found

The system log tabs also report: "Unable to load log data: Not Found".

Wireguard: RPC call to luci.wireguard/getWgInstances failed with error -32000: 
Object not found


Suggested fixes?

In any case, this seems like it would be a major internal change in OpenWrt.

More information about the openwrt-devel mailing list