[Git][security-tracker-team/security-tracker][master] lua-cgi - code is broken and cannot be exploited

Brian May bam at debian.org
Tue Mar 31 21:35:45 BST 2020 


Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ce8d060f by Brian May at 2020-04-01T07:34:56+11:00
lua-cgi - code is broken and cannot be exploited

As per bug #954300, the session.close function is broken. This means it
is not possible to save session data. This in turn means it there are no
concerns if the session id is made public because there is no sensitive
data associated with the session. So it doesn't matter if somebody
attempts to guess the session id because it doesn't reveal anything
useful.

This bug is trivial to resolve, however the fact that nobody is
complaining about this bug or trying to fix the bug would strongly
suggest that nobody is using session management with lua-cgi.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -263081,8 +263081,10 @@ CVE-2014-2877
 CVE-2014-2876
 	RESERVED
 CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...)
-	- lua-cgi <unfixed> (bug #953037)
+	- lua-cgi <not-affected> (code is broken and cannot be exploited)
 	NOTE: https://github.com/keplerproject/cgilua/issues/17
+	NOTE: https://bugs.debian.org/953037
+	NOTE: https://bugs.debian.org/954300
 CVE-2013-7369 (SQL injection vulnerability in an unspecified DLL in the FSDBCom Activ ...)
 	NOT-FOR-US: F-Secure Anti-Virus
 CVE-2012-6647 (The futex_wait_requeue_pi function in kernel/futex.c in the Linux kern ...)


=====================================
data/dla-needed.txt
=====================================
@@ -47,10 +47,6 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
-lua-cgi
-  NOTE: 20200227: The package do not seem to be used much, but the popcon data in this case
-  NOTE: 20200227: may not be entirely reliable. One possibility is to declare it unsupported. (Ola)
---
 mumble (Abhijith PA)
   NOTE:20200325: Regression in last upload, forgot to follow up.
   NOTE:20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce8d060f5fcc344889020a797a665b911b62ccf4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce8d060f5fcc344889020a797a665b911b62ccf4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200331/032c28c9/attachment.html>

More information about the debian-security-tracker-commits mailing list