Re: lua 5.1.5 CVEs / lua 5.3 with luci
Hi, > Can one be curious and ask what is gonna be used instead of lua, or is > that still not 100% decided yet? you can find more details at https://forum.openwrt.org/t/luci-rewrite-in-ucode-testers-wanted/137250 ~ Jo signature.asc Description: OpenPGP digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: lua 5.1.5 CVEs / lua 5.3 with luci
Ah thanks On Wed, Oct 26, 2022 at 3:57 PM Jo-Philipp Wich wrote: > > Hi, > > > Can one be curious and ask what is gonna be used instead of lua, or is > > that still not 100% decided yet? > > you can find more details at > https://forum.openwrt.org/t/luci-rewrite-in-ucode-testers-wanted/137250 > > ~ Jo > ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: lua 5.1.5 CVEs / lua 5.3 with luci
Can one be curious and ask what is gonna be used instead of lua, or is that still not 100% decided yet? On Wed, Oct 26, 2022 at 3:54 PM Jo-Philipp Wich wrote: > > Hi, > > all errors you quoted are occurring within Lua code. The view rendering etc. > mostly happens in JavaScript on the client side, this is why things /seem/ to > work. Many backend actions are implemented as rpcd plugins in Lua code though, > and all those seem to fail (not register with rpcd in the first place, likely > because the requested interpreter /usr/bin/lua is not there). > > Newer Lua versions do have various incompatibilities with Lua 5.1 and the > deprecation of setfenv(), getfenv() in favor to _ENV will require a lot of > refactoring in LuCI framework code. > > Since LuCI is in the process of migrating away from Lua, only keeping an > optional compatibility Lua runtime for legacy applications, it is unlikely > that any work will be spent to convert the framework code to later Lua > versions. > > ~ Jo > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: lua 5.1.5 CVEs / lua 5.3 with luci
Hi, all errors you quoted are occurring within Lua code. The view rendering etc. mostly happens in JavaScript on the client side, this is why things /seem/ to work. Many backend actions are implemented as rpcd plugins in Lua code though, and all those seem to fail (not register with rpcd in the first place, likely because the requested interpreter /usr/bin/lua is not there). Newer Lua versions do have various incompatibilities with Lua 5.1 and the deprecation of setfenv(), getfenv() in favor to _ENV will require a lot of refactoring in LuCI framework code. Since LuCI is in the process of migrating away from Lua, only keeping an optional compatibility Lua runtime for legacy applications, it is unlikely that any work will be spent to convert the framework code to later Lua versions. ~ Jo signature.asc Description: OpenPGP digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: lua 5.1.5 CVEs / lua 5.3 with luci
On 10/25/22 20:45, Reuben Dowle wrote: My opinion is that openwrt should try and move to a newer version of lua. This old 5.1.5 version appears to be unmaintained, and there does not seem to be the resources within the openwrt community to change that. So I naively adjusted the lua5.3 package to add PROVIDES for lua and liblua and symlinked the /usr/bin/lua5.3 binary to /usr/bin/lua. In some very superficial testing, skimming through pages, luci almost works correctly. What I do see on all pages, is this: RPCError: RPC call to luci/getFeatures failed with error -32000: Object not found at handleCallReply (http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:82:7) at promise callback*parseCallReply (http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:66:5) at promise callback*call (http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:41:6) at declare/(http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:342:9) at declare/< (http://192.168.113.1/luci-static/resources/rpc.js?v=unknown:302:11) at probeSystemFeatures (http://192.168.113.1/luci-static/resources/luci.js?v=unknown:2588:7) at setupDOM (http://192.168.113.1/luci-static/resources/luci.js?v=unknown:2737:10) at promise callback*__init__ (http://192.168.113.1/luci-static/resources/luci.js?v=unknown:2254:7) at ClassConstructor (http://192.168.113.1/luci-static/resources/luci.js?v=unknown:104:20) Just bear in mind that although this is 22.03, I have some heavyish changes to customize luci too. I don't know this particular code, but I can't imagine it being hard to fix. There's some additional similar errors on other pages. Switch config: RPCError: RPC call to luci/getSwconfigFeatures failed with error -32000: Object not found Firewall: RPCError: RPC call to luci/getConntrackHelpers failed with error -32000: Object not found The system log tabs also report: "Unable to load log data: Not Found". Wireguard: RPC call to luci.wireguard/getWgInstances failed with error -32000: Object not found Suggested fixes? In any case, this seems like it would be a major internal change in OpenWrt. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel