Bug 26552

Looks like upstream released 0.24.1 (and lots of other patch releases for older branches) to fix this, but did not formally announce them/make tarballs. I made my own tarball for 0.24.1.

Fixed in crawl-0.24.1-1.mga8.

Mageia 7 advisory:
==================

Updated crawl packages fix security vulnerability

  crawl 0.24.0 and earlier are subject to possible remote code evaluation with
  lua loadstring (CVE-2020-11722).

  This update fixes it, also updating crawl from version 0.23.2 to 0.24.1,
  with the following main gameplay changes:

  * Vampire species simplified
  * Thrown weapons streamlined
  * Fedhas reimagined
  * Sif Muna reworked

References:

 - https://lists.opensuse.org/opensuse-updates/2020-04/msg00113.html
 - https://raw.githubusercontent.com/crawl/crawl/stone_soup-0.24/crawl-ref/docs/changelog.txt

SRPM in core/updates_testing:
=============================

crawl-0.24.1-1.mga7

RPMs in core/updates_testing:
=============================

crawl-common-data-0.24.1-1.mga7.noarch
crawl-console-0.24.1-1.mga7
crawl-tiles-0.24.1-1.mga7

Testing procedure:
==================

Crawl is a traditional roguelike game, that comes in two variants: ASCII (crawl-console) and 2D tiles (crawl-tiles). The latter might be easier to test for those who are not die-hard roguelike players ;)

Check that the game starts, start "Dungeon Crawl" with any selection of character (pressing "Enter" will just select whatever was pre-selected). You can move around with numpad keys or mouse clicks, walk on objects to fetch them, see your inventory with "i", bump into enemies to attack (and likely die fast ;)).

QA Contact: security => rverschelde
Version: Cauldron => 7
Assignee: rverschelde => qa-bugs
Keywords: (none) => has_procedure

After discussing with upstream, it seems that they plan a 0.24.2 fixing more security concerns, but there's no clear ETA yet, it might be up to a month. They advised me to package the stone_soup-0.24 branch directly which is 0.24.1 + 8 additional commits, 3 fixing related security concerns.

Fixed in crawl-0.24.1-2.ga250c9d538.1.mga8.

Mageia 7 advisory:
==================

Updated crawl packages fix security vulnerability

  crawl 0.24.0 and earlier are subject to possible remote code evaluation with
  lua loadstring (CVE-2020-11722).

  This update fixes it, also updating crawl from version 0.23.2 to 0.24.1,
  with the following main gameplay changes:

  * Vampire species simplified
  * Thrown weapons streamlined
  * Fedhas reimagined
  * Sif Muna reworked

References:

 - https://lists.opensuse.org/opensuse-updates/2020-04/msg00113.html
 - https://raw.githubusercontent.com/crawl/crawl/0.24.1/crawl-ref/docs/changelog.txt
 - https://github.com/crawl/crawl/commits/a250c9d538d3db384407f7e61470e8ec65ad5b83

SRPM in core/updates_testing:
=============================

crawl-0.24.1-2.ga250c9d538.1.mga7

RPMs in core/updates_testing:
=============================

crawl-common-data-0.24.1-2.ga250c9d538.1.mga7.noarch
crawl-console-0.24.1-2.ga250c9d538.1.mga7
crawl-tiles-0.24.1-2.ga250c9d538.1.mga7

MGA7-64 Plasma on Lenovo B50
No installation issues.
Used
$ crawl
no feedback on the CLI, got into the tutorial for one level, worked OK.
Tried different key combinations, and they all did something on options etc... before I managed to get out.
Good enough for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Validating. Correct advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0190.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED