stevenjohnstone
commented
4 years ago It appears that the rock uploaded to https://luarocks.org/dev predates https://github.com/antirez/lua-cmsgpack/commit/7b989b5b1c2523ae636c41a48c46a8516a0bb1e1#diff-5775114da613405f773d31b7d96775b6 so doesn't install correctly.
adriweb
Trendyne
I've made a fuzzer for lua: https://github.com/stevenjohnstone/afl-lua. I was trying it out on known vulnerabilities and verified that it could detect the issues flagged in CVE-2018-11218 with 0.4.0-0. I then tried to install the latest and greatest following the README instructions as a point of comparison and found the same bugs...because luarocks had installed the version 0.4.0-0 again 🤦
Turns out the README instructions need to be updated to install the correct version; luarocks probably should probably just fail when the specified source isn't found but that's another issue. See #62 for a build instruction fix.
Would it be possible to tag another release and push it to luarocks?
BTW, fuzzer hasn't found any issues with the latest and greatest 👍