Game maps can in cube2-engine games be transmitted either from server to client or from client to client, which includes a config file (mapname.cfg) which is in "cubescript" format, this makes it possible for an attacker to send a malign script via a new map (which must be chosen by admin on a server, or created in cooperative editing mode). A script like this could trivially read/write to any files which the user running the client has access to (it is executed when the client loads the map). Patch: The patch stops "textedit" commands being able to be run in map-run scripts, thus disabling the ability to read/write to user files. Reproducible: Always
Created attachment 320962 [details, diff] File access security fix
Marking INVALID: games-fps/redeclipse is not in the main tree and we don't handle packages in the gamerlay overlay.