lua-openssl in 0.7.7-1 suffers from multiple vurnelabilities origination form using lua_pushboolean for certain non boolean return values when performing various checks while validating X.509 certificates See CVE-2020-9432 CVE-2020-9433 CVE-2020-9434
CVE-2020-9432 openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values. CVE-2020-9433 openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values. CVE-2020-9434 openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values. https://github.com/zhaozg/lua-openssl/commit/a6dc186dd4b6b9e329a93cca3e7e3cfccfdf3cca
@maintainer(s): ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83cae96eb3ba9ca91b0dbf424a34e30f89dc30be commit 83cae96eb3ba9ca91b0dbf424a34e30f89dc30be Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 05:42:06 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 05:59:47 +0000 package.mask: Last rite dev-lua/lua-openssl Bug: https://bugs.gentoo.org/711016 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
Aren't these CVEs addressed in 0.7.8-0?
(In reply to Kobboi from comment #5) > Aren't these CVEs addressed in 0.7.8-0? ... which is not in tree. We need somebody to put it in. Nobody is interested in doing so.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13d04a5230d33711e06327b3c930ef8e5cc5b8ab commit 13d04a5230d33711e06327b3c930ef8e5cc5b8ab Author: Victor Payno <vpayno+gentoo@gmail.com> AuthorDate: 2020-04-23 20:35:07 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-04-23 20:38:18 +0000 package.mask: Remove mask for dev-lua/lua-openssl, bug 711016 Bug: https://bugs.gentoo.org/711016 Signed-off-by: Victor Payno <vpayno+gentoo@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/15491 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> profiles/package.mask | 5 ----- 1 file changed, 5 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56d6ec355802d900900c2e8bd575a9f2f94a5fd4 commit 56d6ec355802d900900c2e8bd575a9f2f94a5fd4 Author: Victor Payno <vpayno+gentoo@gmail.com> AuthorDate: 2020-04-23 20:26:33 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-04-23 20:37:49 +0000 dev-lua/lua-openssl: version bump to 7.7.8_p0 Bug: https://bugs.gentoo.org/711016 Signed-off-by: Victor Payno <vpayno+gentoo@gmail.com> Signed-off-by: Patrick McLean <chutzpah@gentoo.org> dev-lua/lua-openssl/Manifest | 1 + dev-lua/lua-openssl/lua-openssl-0.7.8_p0.ebuild | 75 +++++++++++++++++++++++++ dev-lua/lua-openssl/metadata.xml | 10 ++-- 3 files changed, 81 insertions(+), 5 deletions(-)
Great, thanks! @maintainer(s), please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b899ce1c9ee7a671f5a507efb32be67fcfd72c6 commit 5b899ce1c9ee7a671f5a507efb32be67fcfd72c6 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 01:27:20 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 01:27:20 +0000 dev-lua/lua-openssl: drop vulnerable Bug: https://bugs.gentoo.org/711016 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-lua/lua-openssl/Manifest | 4 -- dev-lua/lua-openssl/lua-openssl-0.7.3.ebuild | 60 ------------------ dev-lua/lua-openssl/lua-openssl-0.7.7_p0-r1.ebuild | 71 --------------------- dev-lua/lua-openssl/lua-openssl-0.7.7_p1.ebuild | 74 ---------------------- 4 files changed, 209 deletions(-)