lua-cmsgpack icon indicating copy to clipboard operation
lua-cmsgpack copied to clipboard

Published 20 hours ago verified publisher icon antirez

Version installed from luarocks vulnerable to CVE-2018-11218

Open stevenjohnstone opened this issue 4 years ago • 3 comments

I've made a fuzzer for lua: https://github.com/stevenjohnstone/afl-lua. I was trying it out on known vulnerabilities and verified that it could detect the issues flagged in CVE-2018-11218 with 0.4.0-0. I then tried to install the latest and greatest following the README instructions as a point of comparison and found the same bugs...because luarocks had installed the version 0.4.0-0 again 🤦

Turns out the README instructions need to be updated to install the correct version; luarocks probably should probably just fail when the specified source isn't found but that's another issue. See #62 for a build instruction fix.

Would it be possible to tag another release and push it to luarocks?

BTW, fuzzer hasn't found any issues with the latest and greatest 👍

stevenjohnstone avatar Aug 08 '20 15:08 stevenjohnstone

It appears that the rock uploaded to https://luarocks.org/dev predates https://github.com/antirez/lua-cmsgpack/commit/7b989b5b1c2523ae636c41a48c46a8516a0bb1e1#diff-5775114da613405f773d31b7d96775b6 so doesn't install correctly.

stevenjohnstone avatar Aug 14 '20 16:08 stevenjohnstone

@antirez Any hope to have a new release on luarocks? Thanks.

adriweb avatar Nov 19 '20 18:11 adriweb

+1

Trendyne avatar Sep 06 '22 15:09 Trendyne