Bug#1112074: bookworm-pu: package luajit/2.1.0~beta3+git20220320+dfsg-4.1+deb12u1

To: Guilhem Moulin <guilhem@debian.org>, 1112074@bugs.debian.org
Subject: Bug#1112074: bookworm-pu: package luajit/2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 26 Aug 2025 08:02:16 +0200
Message-id: <[🔎] aK1N6FRfroRHXiYq@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1112074@bugs.debian.org
In-reply-to: <[🔎] aKzcwZmRkl5TAVfi@debian.org>
References: <[🔎] aKzcwZmRkl5TAVfi@debian.org> <[🔎] aKzcwZmRkl5TAVfi@debian.org>

Hi Guilhem,

On Mon, Aug 25, 2025 at 11:59:29PM +0200, Guilhem Moulin wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: luajit@packages.debian.org, security@debian.org
> Control: affects -1 + src:luajit
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> [ Reason ]
> 
> Fix <no-dsa> security issues CVE-2024-2517[6-8].
> 
> [ Impact ]
> 
> User will remain vulnerable to the aforementioned issues.  Upgrading
> users might regress as the issues are now fixed in Bullseye LTS.
> 
> [ Tests ]
> 
>  1. Manual tests using the PoC found in the upstream issues.
>  2. Manual run of openresty's test suites using snapshots from spring 2022
>     https://github.com/openresty/luajit2/tree/v2.1-20220309/t
>     https://github.com/openresty/luajit2-test-suite/tree/908732e0a9a9b4bc7c327210a52272a570f47323
> 
> [ Risks ]
> 
> Low risks; upstream uses a rolling release model but patches were merged
> to the v2.1 branch and apply cleanly.
> 
> [ Checklist ]
> 
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in oldstable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> 
>   * Fix CVE-2024-25176: Stack-buffer-overflow in lj_strfmt_wfnum() in
>     lj_strfmt_num.c.
>   * Fix CVE-2024-25177: Unsinking of IR_FSTORE for NULL metatable, which leads
>     to Denial of Service.
>   * Fix CVE-2024-25178: Out-of-bounds read in the stack-overflow handler in
>     lj_state.c.
> 
> [ Other info ]
> 
> Tag and individual commits can be found at the LTS team fork:
> https://salsa.debian.org/lts-team/packages/luajit/-/tree/debian/bookworm?ref_type=heads
> 
> -- 
> Guilhem.

> diffstat for luajit-2.1.0~beta3+git20220320+dfsg luajit-2.1.0~beta3+git20220320+dfsg
> 
>  changelog                    |   12 +++
>  patches/CVE-2024-25176.patch |   27 +++++++
>  patches/CVE-2024-25177.patch |   42 +++++++++++
>  patches/CVE-2024-25178.patch |  163 +++++++++++++++++++++++++++++++++++++++++++
>  patches/series               |    3 
>  salsa-ci.yml                 |    9 ++
>  6 files changed, 256 insertions(+)
> 
> diff -Nru luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog
> --- luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog	2022-09-08 20:16:27.000000000 +0200
> +++ luajit-2.1.0~beta3+git20220320+dfsg/debian/changelog	2025-08-25 13:39:40.000000000 +0200
> @@ -1,3 +1,15 @@
> +luajit (2.1.0~beta3+git20220320+dfsg-4.1+deb12u1) bookworm-security; urgency=high

Small remark, the target distribution needs to be bookworm for the
point release update.

Thanks for doing the work!

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1112074: bookworm-pu: package luajit/2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
  - From: Guilhem Moulin <guilhem@debian.org>

References:
- Bug#1112074: bookworm-pu: package luajit/2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
  - From: Guilhem Moulin <guilhem@debian.org>

Prev by Date: Bug#1108185: bookworm-pu: package prody/2.3.1+dfsg-3+deb12u1
Next by Date: Bug#1110992: transition: nginx
Previous by thread: Processed: bookworm-pu: package luajit/2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
Next by thread: Bug#1112074: bookworm-pu: package luajit/2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
Index(es):
- Date
- Thread