Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Version installed from luarocks vulnerable to CVE-2018-11218 #63

Open
stevenjohnstone opened this issue Aug 8, 2020 · 3 comments
Open

Version installed from luarocks vulnerable to CVE-2018-11218 #63

stevenjohnstone opened this issue Aug 8, 2020 · 3 comments

Comments

@stevenjohnstone
Copy link

I've made a fuzzer for lua: https://github.com/stevenjohnstone/afl-lua. I was trying it out on known vulnerabilities and verified that it could detect the issues flagged in CVE-2018-11218 with 0.4.0-0. I then tried to install the latest and greatest following the README instructions as a point of comparison and found the same bugs...because luarocks had installed the version 0.4.0-0 again 🤦

Turns out the README instructions need to be updated to install the correct version; luarocks probably should probably just fail when the specified source isn't found but that's another issue. See #62 for a build instruction fix.

Would it be possible to tag another release and push it to luarocks?

BTW, fuzzer hasn't found any issues with the latest and greatest 👍
@stevenjohnstone
Copy link
Author

It appears that the rock uploaded to https://luarocks.org/dev predates 7b989b5#diff-5775114da613405f773d31b7d96775b6 so doesn't install correctly.

@adriweb
Copy link

adriweb commented Nov 19, 2020

@antirez Any hope to have a new release on luarocks? Thanks.

@Trendyne
Copy link

Trendyne commented Sep 6, 2022

+1

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@adriweb @stevenjohnstone @Trendyne