CVE fix needs backport to 1.12

[sevu]

Having a backport of d911268 in the 1.12 branch would help, seems nobody applied it downstream yet.

[GregoryLundberg]

Nah. If they can't be bothered to go to 1.14 why assume they'd be go to the effort of pulling the commit and rebuilding. Might be hard to roll back enough to even do that .... We are talking 4 or 5 years.

If someone really wants to, fine. But I don't think its critical much less worth keeping this PR open for more than a week or two to see if some does want to put in the effort.

[sevu]

1.12.6 will remain relevant for another two years for the distributions. Having there an CVE… But indeed, the bigger issue is that some of the files the patch applies to don't exist in 1.12.

[gfgtdf]

the bigger issue is that some of the files the patch applies to don't exist in 1.12.

The hardest part is the change the to luas own load function, all other occurances can probably be easily found by doing a textsearch for the lua..._load functions.

[sevu]

I found for all but the last file the relevant place in 1.12. For the last, kernels and that function did not exist in 1.12

[gfgtdf]

I found for all but the last file the relevant place in 1.12. For the last, kernels and that function did not exist in 1.12

What i was trying to say is that you cannot expect a 1:1 correpsondance between the 1.14 occurances and 1.12 occurances. Just applying the patch is not enough, even if it applied without merging problems it's totally posilble that it misses occurances of lua_load/luaL_loadstring/luaL_loadbuffer etc in 1.12 because those that used it functions were for example removed in 1.14 or merged into a helper function.
If you apply that patch you also have to search for all occurances of theose functions in the wesnoth source (escept the lua subsource) and make sure they are fixed.

[jyrkive]

@Vultraz Please explain why you closed this issue.

[Vultraz]

I agree with both prior assessments that backporting to 1.12 would be difficult and a lot of work. And since this has been sitting open for almost a month, I figure it's better to close it since it looks like no one is willing to work on it, as @GregoryLundberg suggested.

Do you think instead it should be left open for reference but not marked Urgent?

[jyrkive]

Well, "no one is willing to work on this" is essentially Won't Fix, which is a valid reason to close a bug report if the situation is permanent.