I have run into these CVEs during an audit. I looked into the patches linked to them, and it seems that the ancient lua code for 5.1.5 was very different from the code where the patches are created against. When I attempted to manually make similar changes in the code, it seemed to me that the older lua code was probably not vulnerable in the same way. So in the end I just marked these CVEs as not applying to the version of LUA in use.
My opinion is that openwrt should try and move to a newer version of lua. This old 5.1.5 version appears to be unmaintained, and there does not seem to be the resources within the openwrt community to change that. > -----Original Message----- > From: openwrt-devel <[email protected]> On > Behalf Of Peter Naulls > Sent: Wednesday, 26 October 2022 12:06 pm > To: OpenWrt Development List <[email protected]> > Subject: lua 5.1.5 CVEs > > > Lua 5.1.5 would appear to have CVEs below against it. > > The patches to this in OpenWrt are significant, but dated, with the last bug > fix > seeming to be from 2019, so it's hard to say if these are addressed: > > https://github.com/openwrt/openwrt/tree/openwrt- > 22.03/package/utils/lua/patches > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15888 > > https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900 > ce0b7 > https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76 > 217d5 > > I can't see that these have been applied - correct me here please. > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43519 > > This appears to be the fix: > > https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900 > ce0b7 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15945 > > Fix here: > > https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06 > db05e3 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461 > > This is ancient, and may have long since been fixed, although I can't find the > exact patch. > > This would be a good example where if the CVE patches had been applied, > naming them well would help. > > The "better" fix would arguably to move to lua 5.3 or even 5.4, but as I > mentioned in an earlier post, I'm not sure if this is possible or what it > might > break in luci. > > Thanks! > > > _______________________________________________ > openwrt-devel mailing list > [email protected] > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
