-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE fix needs backport to 1.12 #3516
Comments
Nah. If they can't be bothered to go to 1.14 why assume they'd be go to the effort of pulling the commit and rebuilding. Might be hard to roll back enough to even do that .... We are talking 4 or 5 years. If someone really wants to, fine. But I don't think its critical much less worth keeping this PR open for more than a week or two to see if some does want to put in the effort. |
1.12.6 will remain relevant for another two years for the distributions. Having there an CVE… But indeed, the bigger issue is that some of the files the patch applies to don't exist in 1.12. |
The hardest part is the change the to luas own load function, all other occurances can probably be easily found by doing a textsearch for the lua..._load functions. |
I found for all but the last file the relevant place in 1.12. For the last, kernels and that function did not exist in 1.12 |
What i was trying to say is that you cannot expect a 1:1 correpsondance between the 1.14 occurances and 1.12 occurances. Just applying the patch is not enough, even if it applied without merging problems it's totally posilble that it misses occurances of lua_load/luaL_loadstring/luaL_loadbuffer etc in 1.12 because those that used it functions were for example removed in 1.14 or merged into a helper function. |
@Vultraz Please explain why you closed this issue. |
I agree with both prior assessments that backporting to 1.12 would be difficult and a lot of work. And since this has been sitting open for almost a month, I figure it's better to close it since it looks like no one is willing to work on it, as @GregoryLundberg suggested. Do you think instead it should be left open for reference but not marked Urgent? |
Well, "no one is willing to work on this" is essentially Won't Fix, which is a valid reason to close a bug report if the situation is permanent. |
Having a backport of d911268 in the 1.12 branch would help, seems nobody applied it downstream yet.
The text was updated successfully, but these errors were encountered: