Hi carnil, On Fri, 23 Jun 2023 at 21:49:21 +0200, Salvatore Bonaccorso wrote: > thanks for the analysis. I want to point out that it's really > important to not rely on the POC for making the not-affected > assessment (and when not confirmed, rather err on the safe side and > keep something marked affected).
Sure, I started digging further after wondering why I wasn't able to reproduce this in 5.3 :-) > Your analysis at first glance seems to make sense, but to be on safe > side, unless jmm seems it to fit, I would rather go with the still > affected, but ignored for stable and older suites. Ack > If you can prod upstream to double-check with them if you have indeed > found the introducing commit, then we can update the CVE entry > accordingly. FWIW I just noticed the issue is listed at https://www.lua.org/bugs.html#5.4.3-7 , with a link to the upstream fix 74d99057 (unfortunately the page doesn't list any CVE ID), and indeed reads “existed since 5.4.2”. Also in the CVE description (“5.1.0~5.4.4”) the upper bound is definitely wrong since 74d99057 is an ancestor of v5.4.4. -- Guilhem.
signature.asc
Description: PGP signature