Bug 15685

The upstream bug report is not public yet it seems [1], so I can't see if there is a backportable patch for the 1.10.x branch in Mageia 4. Saved games from 1.10.x are not officially supported in the new 1.12.x stable branch, so I'd like to avoid jumping branch if possible.

I'll see how other distros handle it, and what upstream says about it.

[1] https://gna.org/bugs/?23440

CC: (none) => luigiwalser

Upstream directed me towards the patch that I needed to backport [1], so I've pushed it for the Mageia 4 update candidate after rediffing the changelog part.

Freeze push request done for wesnoth 1.12.2 in Mageia 5.

[1] https://github.com/wesnoth/wesnoth/commit/af61f9fdd15cd439da9e2fe5fa39d174c923eaae

Suggested advisory:
===================

Updated wesnoth packages fix security vulnerability

  A severe security vulnerability in Battle of Wesnoth's game client was found
  which could allow a malicious user to obtain personal files and information
  from other players in networked multiplayer games using the built-in WML/Lua
  API on any platform (CVE-2015-0844).

  Upstream announces that all content currently on the official Wesnoth.org
  add-ons server (add-ons.wesnoth.org) has been inspected to confirm that none
  of it exploits this vulnerability.

References:
===========
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0844
 - http://forums.wesnoth.org/viewtopic.php?t=41872
 - https://github.com/wesnoth/wesnoth/commit/af61f9fdd15cd439da9e2fe5fa39d174c923eaae

SRPM:
=====
 - wesnoth-1.10.7-2.1.mga4

RPMs:
=====
wesnoth-1.10.7-2.1.mga4
wesnoth-data-1.10.7-2.1.mga4.noarch
wesnoth-server-1.10.7-2.1.mga4

Assignee: rverschelde => qa-bugs
QA Contact: (none) => rverschelde

Upstream has a PoC but it's not public yet, so we'll have to trust them on this one and simply check for obvious regressions in the game.

To test the game, install the update candidate a start a campaign scenario, make sure that everything looks functional (the patch is small so you don't need to play for hours, unless you get hooked up :p).
It would be nice to test the networking code too, e.g. by downloading an addon using the in-game addon manager, and maybe trying a multiplayer game. If you don't want to spoil a game of real players, you can try starting a server and joining it with the client.

Whiteboard: MGA4TOO => MGA4TOO has_procedure

Above procedure is the "if we had time" procedure though. With the RC ISOs + the updates backlog, you shouldn't spend more than 5 minutes on this one IMO.

Setting version to Mageia 4, following updates policy.

CC: (none) => stormi
Version: Cauldron => 4
Whiteboard: MGA4TOO has_procedure => has_procedure

AFAIK as long as the bug is not fixed in Cauldron, the version should stay on Cauldron. But let's use MGA5TOO for now.

Whiteboard: has_procedure => has_procedure MGA5TOO

Started a campaign, updated an add-on, joined a game as an observer (and got many desynchronisation errors, but maybe it was due to a missing addon), joined another game as an observer : all fine. 

Minus this desync error, everything ok.

Update pushed to Mageia 5.

Whiteboard: has_procedure MGA5TOO MGA4-64-OK => has_procedure MGA4-64-OK

Debian has issued an advisory for this on April 10:
https://www.debian.org/security/2015/dsa-3218

URL: (none) => http://lwn.net/Vulnerabilities/640170/

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK => has_procedure advisory MGA4-64-OK
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0154.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED