freeciv 2.2 before 2.2.1 and 2.3 before 2.3.0 allows attackers to
read arbitrary files or execute arbitrary commands via scenario that
contains Lua functionality, related to the (1) os, (2) io, (3)
package, (4) dofile, (5) loadfile, (6) loadlib, (7) module, and (8)
require modules or functions.
games-strategy/freeciv-2.2.1 is in portage and stable for x85 and amd64. Just test & stable it for other arches.
The oldest 2.2 in the tree is now 2.2.1, and there's no 2.3 in the tree, so I think this can be closed.
@security, fixed versions are in tree.
From secunia I see:
The security issue exists due to the Lua run time environment allowing access to the operating system specific modules and functions. This can be exploited to execute arbitrary shell commands via a specially crafted saved game or scenario file.
We should move it to B2? If not please proceed with glsa vote.
Yes, I believe this should be B2. GLSA request filed.
Is this still valid?
This issue was resolved and addressed in
GLSA 201402-07 at http://security.gentoo.org/glsa/glsa-201402-07.xml
by GLSA coordinator Chris Reffett (creffett).