Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 546448 (CVE-2015-0844) - <games-strategy/wesnoth-1.12.2: information leak via built-in WML/Lua API (CVE-2015-0844)
Summary: <games-strategy/wesnoth-1.12.2: information leak via built-in WML/Lua API (CV...
Status: RESOLVED FIXED
Alias: CVE-2015-0844
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-13 13:06 UTC by Agostino Sarubbo
Modified: 2016-10-22 13:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-13 13:06:40 UTC
From ${URL} :

A flaw was reported in wesnoth, a turn-based strategy game with a fantasy theme:

A severe security vulnerability in the game client was found (bug #23440) which could allow a 
malicious user to obtain personal files and information from other players in networked MP games 
using the built-in WML/Lua API on any platform.

The flaw affects wesnoth 1.12.1 and wesnoth 1.10.7.

Release announcement:

http://forums.wesnoth.org/viewtopic.php?t=41870
https://raw.githubusercontent.com/wesnoth/wesnoth/1.12.2/changelog

Upstream advisory:

http://forums.wesnoth.org/viewtopic.php?t=41872

Upstream patch:

https://github.com/wesnoth/wesnoth/commit/af61f9fdd15cd439da9e2fe5fa39d174c923eaae


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-04-19 15:41:59 UTC
CVE-2015-0844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0844):
  The WML/Lua API in Battle for Wesnoth 1.7.x through 1.11.x and 1.12.x before
  1.12.2 allows remote attackers to read arbitrary files via a crafted (1)
  campaign or (2) map file.
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2015-05-13 17:01:27 UTC
wesnoth 1.12.1 is no longer in portage
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-10-22 13:25:26 UTC
GLSA Vote: No