CVE-2020-15889

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE-2020-15889

Bruno Vernay
Hi

Here it read that versions up to 5.4 are affected
https://vuldb.com/?id.158861 which is plain wrong, misleading and
should be corrected.
Here that versions from 5.4 are affected
https://access.redhat.com/security/cve/cve-2020-15889 which is right I
guess.

Now I have a hard time finding a patch too.
NIST references a "Patch"
https://nvd.nist.gov/vuln/detail/CVE-2020-15889 very simple one line.
I really doubt it fixes the CVE.  Either NIST should be alerted, or
the commit should contain an explicit info about the CVE.

On IRC, I have been referred to ""it's bug #6 on here:
https://www.lua.org/bugs.html#5.4.0-6 "
and that the correct commit would be " correct commit:
https://github.com/lua/lua/commit/31b8c2d4380a762d1ed6a7faee74a1d107f86014"
But there is no reference to the CVE in any of the commits.

It would help to clarify the situation with NIST, VulDB and reference
the CVE in the commits (I understand there are no pull -request) or
create an explicit patch like this
http://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-devtools/lua/lua_5.3.5.bb?h=master

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2020-15889

Bruno Vernay
My simple question would be:
If CVE-2020-15889 affects up to including 5.4.0, then where can I find
a patch to backport to previous versions like 5.3.5 ?
If  it affects Lua since 5.4.0, then has it ever been fixed ?

Regards
Bruno


On Fri, Dec 11, 2020 at 2:00 PM Bruno Vernay <[hidden email]> wrote:

>
> Hi
>
> Here it read that versions up to 5.4 are affected
> https://vuldb.com/?id.158861 which is plain wrong, misleading and
> should be corrected.
> Here that versions from 5.4 are affected
> https://access.redhat.com/security/cve/cve-2020-15889 which is right I
> guess.
>
> Now I have a hard time finding a patch too.
> NIST references a "Patch"
> https://nvd.nist.gov/vuln/detail/CVE-2020-15889 very simple one line.
> I really doubt it fixes the CVE.  Either NIST should be alerted, or
> the commit should contain an explicit info about the CVE.
>
> On IRC, I have been referred to ""it's bug #6 on here:
> https://www.lua.org/bugs.html#5.4.0-6 "
> and that the correct commit would be " correct commit:
> https://github.com/lua/lua/commit/31b8c2d4380a762d1ed6a7faee74a1d107f86014"
> But there is no reference to the CVE in any of the commits.
>
> It would help to clarify the situation with NIST, VulDB and reference
> the CVE in the commits (I understand there are no pull -request) or
> create an explicit patch like this
> http://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-devtools/lua/lua_5.3.5.bb?h=master
>
> Thanks



--
Bruno VERNAY
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2020-15889

Andrew Gierth
>>>>> "Bruno" == Bruno Vernay <[hidden email]> writes:

 Bruno> My simple question would be:

 Bruno> If CVE-2020-15889 affects up to including 5.4.0, then where can
 Bruno> I find a patch to backport to previous versions like 5.3.5 ?

As we told you repeatedly on IRC, the bug only affects 5.4.0. No other
version is affected. No backport is therefore required.

Note that the description in the CVE appears to be conflating two
different bugs, one described at https://www.lua.org/bugs.html#5.4.0-6
and the other at http://lua-users.org/lists/lua-l/2020-07/msg00071.html

(both are fixed in 5.4.1)

--
Andrew.
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2020-15889

Bruno Vernay
Thanks for the clear statement.

Please understand that I cannot leverage discussions on IRC to contradict the NIST and the security tools that are used to scan the application. I cannot either impose to the development team to upgrade.
Anyway I am thankful to all who took time to help me with my issue.

Bruno


On Thu, Dec 17, 2020, 21:26 Andrew Gierth <[hidden email]> wrote:
>>>>> "Bruno" == Bruno Vernay <[hidden email]> writes:

 Bruno> My simple question would be:

 Bruno> If CVE-2020-15889 affects up to including 5.4.0, then where can
 Bruno> I find a patch to backport to previous versions like 5.3.5 ?

As we told you repeatedly on IRC, the bug only affects 5.4.0. No other
version is affected. No backport is therefore required.

Note that the description in the CVE appears to be conflating two
different bugs, one described at https://www.lua.org/bugs.html#5.4.0-6
and the other at http://lua-users.org/lists/lua-l/2020-07/msg00071.html

(both are fixed in 5.4.1)

--
Andrew.
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2020-15889

Rob Kendrick-2
On Thu, Dec 17, 2020 at 10:04:46PM +0100, Bruno Vernay wrote:

> Please understand that I cannot leverage discussions on IRC to contradict
> the NIST and the security tools that are used to scan the application.

That sounds like a problem with your process and your application, not
Lua or NIST.

B.