A CVE has been assigned for a security issue fixed upstream in wesnoth: http://openwall.com/lists/oss-security/2015/06/25/12 The two upstream commits needed to fix the issue are linked in the message above. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => rverscheldeWhiteboard: (none) => MGA5TOO, MGA4TOO
CC: (none) => stormiAssignee: stormi => rverschelde
Updated packages pushed for Mageia 4, Mageia 5 and Cauldron. I'll do separate advisories for mga4 and mga5 as the mga4 update only contains the security fix, while the mga5 update will also be a bugfix release.
It actually looks like two CVEs were assigned: http://openwall.com/lists/oss-security/2015/06/25/12 I've only reference CVE-2015-5069 in my patch names and commit logs though, but the advisories will probably be enough for the second CVE.
Summary: wesnoth new security issue CVE-2015-5069 => wesnoth new security issue CVE-2015-5069, CVE-2015-5070
Mageia 4 RPMs: ============== wesnoth-1.10.7-2.2.mga4 wesnoth-data-1.10.7-2.2.mga4.noarch wesnoth-server-1.10.7-2.2.mga4 Mageia 5 RPMs: ============== wesnoth-1.12.3-1.mga5 wesnoth-data-1.12.3-1.mga5.noarch wesnoth-server-1.12.3-1.mga5 Advisories will come in a few hours.
Assignee: rverschelde => qa-bugs
(In reply to Rémi Verschelde from comment #2) > It actually looks like two CVEs were assigned: > http://openwall.com/lists/oss-security/2015/06/25/12 > > I've only reference CVE-2015-5069 in my patch names and commit logs though, > but the advisories will probably be enough for the second CVE. Only CVE-2015-5069 affects us, because we had never shipped the partial fix in 1.12.3.
Summary: wesnoth new security issue CVE-2015-5069, CVE-2015-5070 => wesnoth new security issue CVE-2015-5069
wesnoth-1.12.3-1.mga6 uploaded for Cauldron.
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
(In reply to David Walser from comment #4) > > Only CVE-2015-5069 affects us, because we had never shipped the partial fix > in 1.12.3. Ah ok, thanks for the clarification :)
Upstream released another bugfix for the 1.12.x branch yesterday (1.12.4) which contains the complete fix for the security issue, so I'll push those for Mageia 5 and Cauldron. Please test only the Mageia 4 update candidate for now.
The Mageia 5 RPMs are now ready to test: Mageia 5 RPMs: ============== wesnoth-1.12.4-1.mga5 wesnoth-data-1.12.4-1.mga5.noarch wesnoth-server-1.12.4-1.mga5
Mageia 4, suggested advisory: ============================= Updated wesnoth packages fix security vulnerability Toom Lõhmus discovered that the Lua API and preprocessor in the Battle for Wesnoth game up to version 1.12.2 included could lead to client-side authentication information disclosure using maliciously crafted files with the .pdb extension (CVE-2015-5069). This issue has been fixed using patches from upstream's 1.10.x branch. References: - http://openwall.com/lists/oss-security/2015/06/25/12 - https://github.com/wesnoth/wesnoth/commit/055fea16479a755d6744a52f78f63548b692c440 - https://github.com/wesnoth/wesnoth/commit/d20f8015bc3653a10d6d4dfd751e62651d1180b7 Mageia 5, suggested advisory: ============================= Updated wesnoth packages fix security vulnerability Toom Lõhmus discovered that the Lua API and preprocessor in the Battle for Wesnoth game up to version 1.12.2 included could lead to client-side authentication information disclosure using maliciously crafted files with the .pdb extension (CVE-2015-5069). This issue has been fixed in version 1.12.4, which also provides a number of engine and gameplay-related bug fixes. See the referenced code and player changelogs for a detailed listing. References: - http://openwall.com/lists/oss-security/2015/06/25/12 - https://github.com/wesnoth/wesnoth/blob/bebd642f7d0b141dd9f0e4b0a566f5b07db6816b/changelog - https://github.com/wesnoth/wesnoth/blob/bebd642f7d0b141dd9f0e4b0a566f5b07db6816b/players_changelog
To add to the references: Both: - http://forums.wesnoth.org/viewtopic.php?t=42776 Mageia 5: - http://forums.wesnoth.org/viewtopic.php?t=42775 @David: Upstream seems to say that version 1.12.2 was vulnerable to the two CVEs: "Version 1.12.2: CVE-2015-5069, CVE-2015-5070 (disclosure of .pbl files with lowercase, uppercase, and mixed-case extension)" Actually, rereading the openwall topic, I think they're right: "Use CVE-2015-5069 for the vulnerability in versions before 1.12.3 that allowed access upon supplying a pathname ending in .pbl (lowercase)." CVE-2015-5069 is only for the lowercase variant, so we also need to name CVE-2015-5069 which caters for the uppercase and mixed-case variant.
Advisories uploaded as 16208.{mga4,mga5}.adv
Whiteboard: MGA4TOO => MGA4TOO advisory
URL: (none) => http://lwn.net/Vulnerabilities/650132/
Testing MGA4 x64 BEFORE: Installed: wesnoth-1.10.7-2.1.mga4 wesnoth-data-1.10.7-2.1.mga4 from normal repos; but *not* the server. Note that the database is a huge download. Played with it minimally (Tutorial) to see that it basically worked. AFTER: Updated from Updates Testing to: wesnoth-data-1.10.7-2.2.mga4 wesnoth-1.10.7-2.2.mga4 Again, the database is a huge download. Played with it a little (Tutorial), no problems perceived. The update deemed OK.
CC: (none) => lewyssmithWhiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-64-OK
Works well in Mageia 5 64. As was agreed, testing only one arch is OK to validate it until we reach a saner length for the list of updates candidates, and this is not a critical package. Thus, validating.
Whiteboard: MGA4TOO advisory MGA4-64-OK => MGA4TOO advisory MGA4-64-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
MGA4-32 on AcerD6620 Xfce. No installation issues. I can open wesnoth and start the tutorial and do a few moves. I also tried to start a local wesnoth server, but I get an error "217" in systemctl status. I didn't find much info on such a setup, so I give up. The basic game playing seems to work OK.
CC: (none) => herman.viaeneWhiteboard: MGA4TOO advisory MGA4-64-OK MGA5-64-OK => MGA4TOO advisory MGA4-64-OK MGA5-64-OK MGA4-32-OK
> I also tried to start a local wesnoth server, but I get an error "217" in systemctl status. I didn't find much info on such a setup, so I give up. Yes I think the wesnothd service is quite broken in the Mageia 4 package, IIRC I dropped it for Mageia 5.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0282.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0283.html