Hi Guilhem, On Mon, Aug 25, 2025 at 11:59:29PM +0200, Guilhem Moulin wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:luajit > User: [email protected] > Usertags: pu > > [ Reason ] > > Fix <no-dsa> security issues CVE-2024-2517[6-8]. > > [ Impact ] > > User will remain vulnerable to the aforementioned issues. Upgrading > users might regress as the issues are now fixed in Bullseye LTS. > > [ Tests ] > > 1. Manual tests using the PoC found in the upstream issues. > 2. Manual run of openresty's test suites using snapshots from spring 2022 > https://github.com/openresty/luajit2/tree/v2.1-20220309/t > > https://github.com/openresty/luajit2-test-suite/tree/908732e0a9a9b4bc7c327210a52272a570f47323 > > [ Risks ] > > Low risks; upstream uses a rolling release model but patches were merged > to the v2.1 branch and apply cleanly. > > [ Checklist ] > > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in oldstable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > * Fix CVE-2024-25176: Stack-buffer-overflow in lj_strfmt_wfnum() in > lj_strfmt_num.c. > * Fix CVE-2024-25177: Unsinking of IR_FSTORE for NULL metatable, which leads > to Denial of Service. > * Fix CVE-2024-25178: Out-of-bounds read in the stack-overflow handler in > lj_state.c. > > [ Other info ] > > Tag and individual commits can be found at the LTS team fork: > https://salsa.debian.org/lts-team/packages/luajit/-/tree/debian/bookworm?ref_type=heads > > -- > Guilhem.
> diffstat for luajit-2.1.0~beta3+git20220320+dfsg > luajit-2.1.0~beta3+git20220320+dfsg > > changelog | 12 +++ > patches/CVE-2024-25176.patch | 27 +++++++ > patches/CVE-2024-25177.patch | 42 +++++++++++ > patches/CVE-2024-25178.patch | 163 > +++++++++++++++++++++++++++++++++++++++++++ > patches/series | 3 > salsa-ci.yml | 9 ++ > 6 files changed, 256 insertions(+) > > diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog > luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog > --- luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog 2022-09-08 > 20:16:27.000000000 +0200 > +++ luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog 2025-08-25 > 13:39:40.000000000 +0200 > @@ -1,3 +1,15 @@ > +luajit (2.1.0~beta3+git20220320+dfsg-4.1+deb12u1) bookworm-security; > urgency=high Small remark, the target distribution needs to be bookworm for the point release update. Thanks for doing the work! Regards, Salvatore
