CVE-2020-15889

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: CVE-2020-15889
From: Bruno Vernay <brunovern.a@...>
Date: Fri, 11 Dec 2020 14:00:13 +0100

Hi

Here it read that versions up to 5.4 are affected
https://vuldb.com/?id.158861 which is plain wrong, misleading and
should be corrected.
Here that versions from 5.4 are affected
https://access.redhat.com/security/cve/cve-2020-15889 which is right I
guess.

Now I have a hard time finding a patch too.
NIST references a "Patch"
https://nvd.nist.gov/vuln/detail/CVE-2020-15889 very simple one line.
I really doubt it fixes the CVE.  Either NIST should be alerted, or
the commit should contain an explicit info about the CVE.

On IRC, I have been referred to ""it's bug #6 on here:
https://www.lua.org/bugs.html#5.4.0-6 "
and that the correct commit would be " correct commit:
https://github.com/lua/lua/commit/31b8c2d4380a762d1ed6a7faee74a1d107f86014";
But there is no reference to the CVE in any of the commits.

It would help to clarify the situation with NIST, VulDB and reference
the CVE in the commits (I understand there are no pull -request) or
create an explicit patch like this
http://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-devtools/lua/lua_5.3.5.bb?h=master

Thanks

Follow-Ups:
- Re: CVE-2020-15889, Bruno Vernay

Prev by Date: Re: Lua (small optimizations)
Next by Date: Re: Lua (small optimizations)
Previous by thread: Re: Operator-precedence parsers in Lua
Next by thread: Re: CVE-2020-15889
Index(es):
- Date
- Thread