Bug 23338

Summary: wesnoth new security issue CVE-2018-1999023
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: stormi-mageia, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: wesnoth-1.14.3-1.mga6 CVE:
Status comment:

Description David Walser 2018-07-22 18:09:18 CEST 
A security issue in wesnoth has been fixed and assigned a CVE:
http://openwall.com/lists/oss-security/2018/07/22/1

The issue was fixed upstream in 1.14.4.

I don't know if any other games are affected (it sounds like it could be a more general problem with lua scripting engines) like corsixth (whose author apparently reported the issue).

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-22 18:09:32 CEST

CC: (none) => stormi-mageia
Whiteboard: (none) => MGA6TOO

Comment 1 Rémi Verschelde 2018-07-23 18:40:46 CEST 
wesnoth-1.14.4-1.mga7 pushed to Cauldron, wesnoth-1.14.4-1.mga7 to 6 core/updates_testing.

> I don't know if any other games are affected (it sounds like it could be 
> a more general problem with lua scripting engines) like corsixth (whose author
> apparently reported the issue).

I'll do some research about this.

Advisory:
=========

Updated wesnoth packages fix security vulnerability

  The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code
  Injection vulnerability in the Lua scripting engine that can result in code
  execution outside the sandbox. This attack appear to be exploitable via
  Loading specially-crafted saved games, networked games, replays, and player
  content (CVE-2018-1999023).

  This is fixed in version 1.14.4, together with several non-security-related
  bug fixes and enhancements.

References:
 - https://github.com/wesnoth/wesnoth/blob/1.14.4/changelog.md
 - http://openwall.com/lists/oss-security/2018/07/22/1
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999023


RPMs in core/updates_testing:
=============================

wesnoth-1.14.4-1.mga6
wesnoth-data-1.14.4-1.mga6.noarch
wesnoth-server-1.14.4-1.mga6

SRPM in core/updates_testing:
=============================

wesnoth-1.14.4-1.mga6

Version: Cauldron => 6
Source RPM: wesnoth-1.14.3-1.mga7.src.rpm => wesnoth-1.14.3-1.mga6
Whiteboard: MGA6TOO => (none)

Rémi Verschelde 2018-07-23 18:42:03 CEST

Assignee: rverschelde => qa-bugs

Comment 2 Rémi Verschelde 2018-07-24 09:33:21 CEST 
Tested OK on Mageia 6 x86_64, the game runs fine and could still load my saved games from an earlier version.

Whiteboard: (none) => MGA6-64-OK

Comment 3 Rémi Verschelde 2018-07-24 09:34:27 CEST 
Advisory uploaded, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2018-07-25 10:25:37 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0325.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED