openSUSE has issued an advisory on April 25: https://lists.opensuse.org/opensuse-updates/2020-04/msg00113.html The issue is fixed upstream in 0.25. Mageia 7 is also affected.
Looks like upstream released 0.24.1 (and lots of other patch releases for older branches) to fix this, but did not formally announce them/make tarballs. I made my own tarball for 0.24.1. Fixed in crawl-0.24.1-1.mga8. Mageia 7 advisory: ================== Updated crawl packages fix security vulnerability crawl 0.24.0 and earlier are subject to possible remote code evaluation with lua loadstring (CVE-2020-11722). This update fixes it, also updating crawl from version 0.23.2 to 0.24.1, with the following main gameplay changes: * Vampire species simplified * Thrown weapons streamlined * Fedhas reimagined * Sif Muna reworked References: - https://lists.opensuse.org/opensuse-updates/2020-04/msg00113.html - https://raw.githubusercontent.com/crawl/crawl/stone_soup-0.24/crawl-ref/docs/changelog.txt SRPM in core/updates_testing: ============================= crawl-0.24.1-1.mga7 RPMs in core/updates_testing: ============================= crawl-common-data-0.24.1-1.mga7.noarch crawl-console-0.24.1-1.mga7 crawl-tiles-0.24.1-1.mga7 Testing procedure: ================== Crawl is a traditional roguelike game, that comes in two variants: ASCII (crawl-console) and 2D tiles (crawl-tiles). The latter might be easier to test for those who are not die-hard roguelike players ;) Check that the game starts, start "Dungeon Crawl" with any selection of character (pressing "Enter" will just select whatever was pre-selected). You can move around with numpad keys or mouse clicks, walk on objects to fetch them, see your inventory with "i", bump into enemies to attack (and likely die fast ;)).
QA Contact: security => rverscheldeVersion: Cauldron => 7Assignee: rverschelde => qa-bugsKeywords: (none) => has_procedure
After discussing with upstream, it seems that they plan a 0.24.2 fixing more security concerns, but there's no clear ETA yet, it might be up to a month. They advised me to package the stone_soup-0.24 branch directly which is 0.24.1 + 8 additional commits, 3 fixing related security concerns. Fixed in crawl-0.24.1-2.ga250c9d538.1.mga8. Mageia 7 advisory: ================== Updated crawl packages fix security vulnerability crawl 0.24.0 and earlier are subject to possible remote code evaluation with lua loadstring (CVE-2020-11722). This update fixes it, also updating crawl from version 0.23.2 to 0.24.1, with the following main gameplay changes: * Vampire species simplified * Thrown weapons streamlined * Fedhas reimagined * Sif Muna reworked References: - https://lists.opensuse.org/opensuse-updates/2020-04/msg00113.html - https://raw.githubusercontent.com/crawl/crawl/0.24.1/crawl-ref/docs/changelog.txt - https://github.com/crawl/crawl/commits/a250c9d538d3db384407f7e61470e8ec65ad5b83 SRPM in core/updates_testing: ============================= crawl-0.24.1-2.ga250c9d538.1.mga7 RPMs in core/updates_testing: ============================= crawl-common-data-0.24.1-2.ga250c9d538.1.mga7.noarch crawl-console-0.24.1-2.ga250c9d538.1.mga7 crawl-tiles-0.24.1-2.ga250c9d538.1.mga7
QA Contact: rverschelde => securityCC: (none) => rverschelde
MGA7-64 Plasma on Lenovo B50 No installation issues. Used $ crawl no feedback on the CLI, got into the tutorial for one level, worked OK. Tried different key combinations, and they all did something on options etc... before I managed to get out. Good enough for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Correct advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0190.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED