Version installed from luarocks vulnerable to CVE-2018-11218 #63
Comments
|
It appears that the rock uploaded to https://luarocks.org/dev predates 7b989b5#diff-5775114da613405f773d31b7d96775b6 so doesn't install correctly. |
|
@antirez Any hope to have a new release on luarocks? Thanks. |
|
+1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've made a fuzzer for lua: https://github.com/stevenjohnstone/afl-lua. I was trying it out on known vulnerabilities and verified that it could detect the issues flagged in CVE-2018-11218 with 0.4.0-0. I then tried to install the latest and greatest following the README instructions as a point of comparison and found the same bugs...because luarocks had installed the version 0.4.0-0 again 🤦
Turns out the README instructions need to be updated to install the correct version; luarocks probably should probably just fail when the specified source isn't found but that's another issue. See #62 for a build instruction fix.
Would it be possible to tag another release and push it to luarocks?
BTW, fuzzer hasn't found any issues with the latest and greatest 👍
The text was updated successfully, but these errors were encountered: