Fedora has issued an advisory today (June 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X3XW5S2QDOYDDASTBE6GBXO7SQK45NHF/ The issue is fixed upstream in 3.14. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
freedink-dfarc-3.14-1.mga7 pushed to Cauldron. freedink-dfarc-3.14-1.mga6 pushed to Mageia 6 core/updates_testing. Advisory: ========= Updated freedink-dfarc package fixes security vulnerability Sylvain Beucler and Dan Walma discovered several directory traversal issues in DFArc (as well as in the RTsoft's Dink Smallwood HD / ProtonSDK version), allowing an attacker to overwrite arbitrary files on the user's system (CVE-2018-0496). This release fixes it, and brings translation updates. References: - https://savannah.gnu.org/forum/forum.php?forum_id=9169 RPM in core/updates_testing: ============================ freedink-dfarc-3.14-1.mga6 SRPM in core/updates_testing: ============================= freedink-dfarc-3.14-1.mga6
Assignee: rverschelde => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Advisory uploaded. Testing procedure: ================== freedink-dfarc is a launcher for the game FreeDink (package 'freedink'), which lets you install, manage and edit "D-Mods", which are downloadable data packs to play alternative campaigns with the FreeDink engine. Installing freedink-dfarc should pull in the freedink game and data, and running /usr/bin/freedink-dfarc should let you start the game with the "Dink Smallwood v1.08" data pack installed by default. You can download D-Mods on http://www.dinknetwork.com/files/category_dmod/ (link available from DFArc) and use File > Open to copy them in DFArc's games path. The installed D-Mod can then be played, edited or repacked into a new D-Mod after edition.
Keywords: (none) => advisory, has_procedure
I did a quick functionality test of freedink-dfarc-3.14-1.mga6 on Mageia 6 x86_64 and it seems working. The map editor doesn't seem very easy to use, but then it's a relatively old game :) I did not check how to reproduce the CVE and confirm that it was fixed, but since this package is a leaf application and potential regressions would not impact any critical workflow, I think it can be validated as is - but I'll let another QA member decide, as I did both the packaging and the testing so far.
Whiteboard: (none) => MGA6-64-OK
Thanks for your tests Rémi. Had a go myself. Checked the CVE but could not find any screen with "Package" on it, nor in Map-Edit. Updated and launched the game. Smallwood went looking for the pigsty, in the wrong direction and had to reverse. Found them and managed to persuade one pig to come out but could not figure out how to feed it. It does look as though it is working though. Seconding the OK and validating.
Whiteboard: MGA6-64-OK => MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => tarazed25, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0287.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED