Debian-LTS alert DLA-297-1 (wesnoth-1.8)
| From: | Thorsten Alteholz <debian@alteholz.de> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 297-1] wesnoth-1.8 security update | |
| Date: | Sat, 22 Aug 2015 11:19:10 +0200 (CEST) | |
| Message-ID: | <alpine.DEB.2.02.1508221117410.8748@jupiter.server.alteholz.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : wesnoth-1.8 Version : 1:1.8.5-1+deb6u2 CVE ID : CVE-2015-5069 CVE-2015-5070 Wesnoth implements a text preprocessing language that is used in conjunction with its own game scripting language. It also has a built-in Lua interpreter and API. Both the Lua API and the preprocessor make use of the same function (filesystem::get_wml_location()) to resolve file paths so that only content from the user's data directory can be read. However, the function did not explicitly disallow files with the .pbl extension. The contents of these files could thus be stored in saved game files or even transmitted directly to other users in a networked game. Among the information that's compromised is a user-defined passphrase used to authenticate uploads to the game's content server. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJV2D6OXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHcFQP+gM3c5Mh22o4P35c2optotfd W5FUURUPjkH2IS4dTZMH3HatAmR61fngDUFkokY5/Ubt0fQhqXdu7wUaqiPPrHQG DTGA11bWt+CjgNVVs790AVNz16gTtblIsQxukl4XkQ2sr5r3oEJWRTkhVhUMWsCb mf+ahiGau56RTSGDQuANrfqZ9m/wuU5pTtflzct7xpvef/GYhnVKv3pHx6ebheYr 11fXCvzXvO6S9CKUjjpuD59Hxm83JL5SsI2VAcuY19J40cSXPksyJFHlXAPc+41u ByWvZa0ulNMmRMI3p3GZIq3zzDA0ut0r5qTZO0YqipVAqpV9IOod7fclQqd9MjUZ Uhz658ELXRUAHtLlqIkEiYpnUmrqFi3bUVBveJjK60JGAvmwcTs5LPagMBoO8Ld/ 3FjHt1lC4oB0rFFSsDDS2LX3MS4ACvejuIZAt2t4GC1pP8fpaHcxMU0it07EEK8q jHKFlR8aaL6fDxrwZNoZTIAPku+YsjH62SxBoRSb3E7W4fls5t2iFBy6/oRBzzia 4jf7b+ZaM1kl22rSjhtCxMuptwXlOVgKa8JHRZ2LickHCh7pAcxfUmMgy1W60H/X dKagaonPYO650R/mWpjuL47Tbuh+WdheLNa1zUo8ubZGqsy39jg/fSMhddXEtbpU 1dRnrcrW4iut7Em8ctts =TfpZ -----END PGP SIGNATURE-----