| Summary: | wesnoth new security issue CVE-2015-5069, CVE-2015-5070 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, rverschelde, stormi-mageia, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/650132/ | ||
| Whiteboard: | MGA4TOO advisory MGA4-64-OK MGA5-64-OK MGA4-32-OK | ||
| Source RPM: | wesnoth-1.12.2-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-06-25 14:57:14 CEST
David Walser
2015-06-25 14:57:25 CEST
CC:
(none) =>
rverschelde
Rémi Verschelde
2015-06-25 15:23:36 CEST
CC:
(none) =>
stormi Updated packages pushed for Mageia 4, Mageia 5 and Cauldron. I'll do separate advisories for mga4 and mga5 as the mga4 update only contains the security fix, while the mga5 update will also be a bugfix release. It actually looks like two CVEs were assigned: http://openwall.com/lists/oss-security/2015/06/25/12 I've only reference CVE-2015-5069 in my patch names and commit logs though, but the advisories will probably be enough for the second CVE. Summary:
wesnoth new security issue CVE-2015-5069 =>
wesnoth new security issue CVE-2015-5069, CVE-2015-5070 Mageia 4 RPMs: ============== wesnoth-1.10.7-2.2.mga4 wesnoth-data-1.10.7-2.2.mga4.noarch wesnoth-server-1.10.7-2.2.mga4 Mageia 5 RPMs: ============== wesnoth-1.12.3-1.mga5 wesnoth-data-1.12.3-1.mga5.noarch wesnoth-server-1.12.3-1.mga5 Advisories will come in a few hours. Assignee:
rverschelde =>
qa-bugs (In reply to Rémi Verschelde from comment #2) > It actually looks like two CVEs were assigned: > http://openwall.com/lists/oss-security/2015/06/25/12 > > I've only reference CVE-2015-5069 in my patch names and commit logs though, > but the advisories will probably be enough for the second CVE. Only CVE-2015-5069 affects us, because we had never shipped the partial fix in 1.12.3. Summary:
wesnoth new security issue CVE-2015-5069, CVE-2015-5070 =>
wesnoth new security issue CVE-2015-5069 wesnoth-1.12.3-1.mga6 uploaded for Cauldron. Version:
Cauldron =>
5 (In reply to David Walser from comment #4) > > Only CVE-2015-5069 affects us, because we had never shipped the partial fix > in 1.12.3. Ah ok, thanks for the clarification :) Upstream released another bugfix for the 1.12.x branch yesterday (1.12.4) which contains the complete fix for the security issue, so I'll push those for Mageia 5 and Cauldron. Please test only the Mageia 4 update candidate for now. The Mageia 5 RPMs are now ready to test: Mageia 5 RPMs: ============== wesnoth-1.12.4-1.mga5 wesnoth-data-1.12.4-1.mga5.noarch wesnoth-server-1.12.4-1.mga5 Mageia 4, suggested advisory: ============================= Updated wesnoth packages fix security vulnerability Toom Lõhmus discovered that the Lua API and preprocessor in the Battle for Wesnoth game up to version 1.12.2 included could lead to client-side authentication information disclosure using maliciously crafted files with the .pdb extension (CVE-2015-5069). This issue has been fixed using patches from upstream's 1.10.x branch. References: - http://openwall.com/lists/oss-security/2015/06/25/12 - https://github.com/wesnoth/wesnoth/commit/055fea16479a755d6744a52f78f63548b692c440 - https://github.com/wesnoth/wesnoth/commit/d20f8015bc3653a10d6d4dfd751e62651d1180b7 Mageia 5, suggested advisory: ============================= Updated wesnoth packages fix security vulnerability Toom Lõhmus discovered that the Lua API and preprocessor in the Battle for Wesnoth game up to version 1.12.2 included could lead to client-side authentication information disclosure using maliciously crafted files with the .pdb extension (CVE-2015-5069). This issue has been fixed in version 1.12.4, which also provides a number of engine and gameplay-related bug fixes. See the referenced code and player changelogs for a detailed listing. References: - http://openwall.com/lists/oss-security/2015/06/25/12 - https://github.com/wesnoth/wesnoth/blob/bebd642f7d0b141dd9f0e4b0a566f5b07db6816b/changelog - https://github.com/wesnoth/wesnoth/blob/bebd642f7d0b141dd9f0e4b0a566f5b07db6816b/players_changelog To add to the references: Both: - http://forums.wesnoth.org/viewtopic.php?t=42776 Mageia 5: - http://forums.wesnoth.org/viewtopic.php?t=42775 @David: Upstream seems to say that version 1.12.2 was vulnerable to the two CVEs: "Version 1.12.2: CVE-2015-5069, CVE-2015-5070 (disclosure of .pbl files with lowercase, uppercase, and mixed-case extension)" Actually, rereading the openwall topic, I think they're right: "Use CVE-2015-5069 for the vulnerability in versions before 1.12.3 that allowed access upon supplying a pathname ending in .pbl (lowercase)." CVE-2015-5069 is only for the lowercase variant, so we also need to name CVE-2015-5069 which caters for the uppercase and mixed-case variant. Summary:
wesnoth new security issue CVE-2015-5069 =>
wesnoth new security issue CVE-2015-5069, CVE-2015-5070 Advisories uploaded as 16208.{mga4,mga5}.advWhiteboard:
MGA4TOO =>
MGA4TOO advisory
David Walser
2015-07-04 02:52:01 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/650132/ Testing MGA4 x64 BEFORE: Installed: wesnoth-1.10.7-2.1.mga4 wesnoth-data-1.10.7-2.1.mga4 from normal repos; but *not* the server. Note that the database is a huge download. Played with it minimally (Tutorial) to see that it basically worked. AFTER: Updated from Updates Testing to: wesnoth-data-1.10.7-2.2.mga4 wesnoth-1.10.7-2.2.mga4 Again, the database is a huge download. Played with it a little (Tutorial), no problems perceived. The update deemed OK. CC:
(none) =>
lewyssmith Works well in Mageia 5 64. As was agreed, testing only one arch is OK to validate it until we reach a saner length for the list of updates candidates, and this is not a critical package. Thus, validating. Whiteboard:
MGA4TOO advisory MGA4-64-OK =>
MGA4TOO advisory MGA4-64-OK MGA5-64-OK MGA4-32 on AcerD6620 Xfce. No installation issues. I can open wesnoth and start the tutorial and do a few moves. I also tried to start a local wesnoth server, but I get an error "217" in systemctl status. I didn't find much info on such a setup, so I give up. The basic game playing seems to work OK. CC:
(none) =>
herman.viaene > I also tried to start a local wesnoth server, but I get an error "217" in systemctl status. I didn't find much info on such a setup, so I give up.
Yes I think the wesnothd service is quite broken in the Mageia 4 package, IIRC I dropped it for Mageia 5.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0282.html Status:
NEW =>
RESOLVED An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0283.html |