CVE-2020-14938: An issue was discovered in map.c in FreedroidRPG 1.0rc2. It assumes lengths of data sets read from saved game files. It copies data from a file into a fixed-size heap-allocated buffer without size verification, leading to a heap-based buffer overflow. CVE-2020-14939: An issue was discovered in savestruct_internal.c in FreedroidRPG 1.0rc2. Saved game files are composed of Lua scripts that recover a game's state. A file can be modified to put any Lua code inside, leading to arbitrary code execution while loading.
Direct links to upstream issues, still unfixed: https://bugs.freedroid.org/b/issue951 https://bugs.freedroid.org/b/issue952 https://bugs.freedroid.org/b/issue953
The first two issues are fixed by: https://gitlab.com/freedroid/freedroid-src/-/commit/17711a426 The third seems to be a much harder to fix design issue.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=679d3e745b2df3d3a0dd23bd143baec761da965a commit 679d3e745b2df3d3a0dd23bd143baec761da965a Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2022-11-16 18:23:52 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2022-11-16 18:56:31 +0000 games-rpg/freedroidrpg: drop vulnerable 1.0_rc2-r1 Bug: https://bugs.gentoo.org/729326 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> games-rpg/freedroidrpg/Manifest | 1 - .../files/freedroidrpg-1.0_rc2-fnocommon.patch | 49 ------------ .../freedroidrpg/freedroidrpg-1.0_rc2-r1.ebuild | 88 ---------------------- 3 files changed, 138 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a91b1688b42abf36121c4e81c6135ce1d6f85c18 commit a91b1688b42abf36121c4e81c6135ce1d6f85c18 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2022-11-16 18:17:18 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2022-11-16 18:56:30 +0000 games-rpg/freedroidrpg: add 1.0_rc3 Unsurprisingly, the third issues is still unresolved wrt #729326 Bug: https://bugs.gentoo.org/729326 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> games-rpg/freedroidrpg/Manifest | 1 + games-rpg/freedroidrpg/freedroidrpg-1.0_rc3.ebuild | 73 ++++++++++++++++++++++ 2 files changed, 74 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec7834f32b220169f98dac9f48955d261abb1d35 commit ec7834f32b220169f98dac9f48955d261abb1d35 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-01-24 23:28:25 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-01-24 23:28:25 +0000 games-rpg/freedroidrpg: drop vulnerable 1.0_rc3 Bug: https://bugs.gentoo.org/729326 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> games-rpg/freedroidrpg/Manifest | 1 - games-rpg/freedroidrpg/freedroidrpg-1.0_rc3.ebuild | 73 ---------------------- 2 files changed, 74 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09ad97e974aba0d5d41c078356e954efcbfd4d90 commit 09ad97e974aba0d5d41c078356e954efcbfd4d90 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-01-24 23:23:27 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-01-24 23:23:30 +0000 games-rpg/freedroidrpg: add 1.0 wrt #729326, this version adds lua sandboxing for save game handling (so guess can consider this fixed? or reasonable anyway). Bug: https://bugs.gentoo.org/729326 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> games-rpg/freedroidrpg/Manifest | 1 + games-rpg/freedroidrpg/freedroidrpg-1.0.ebuild | 65 ++++++++++++++++++++++++++ 2 files changed, 66 insertions(+)
Yeah, probably as good as can be done. Thanks!
