Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260058 (CVE-2009-0366) - <games-strategy/wesnoth-1.4.7-r1 Python security issue (CVE-2009-{0366,0367})
Summary: <games-strategy/wesnoth-1.4.7-r1 Python security issue (CVE-2009-{0366,0367})
Status: RESOLVED FIXED
Alias: CVE-2009-0366
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://mail.gna.org/public/wesnoth-d...
Whiteboard: B3 [noglsa]
Keywords:
: CVE-2009-0367 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-02-23 20:40 UTC by Mr. Bones. (RETIRED)
Modified: 2009-07-10 12:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mr. Bones. (RETIRED) gentoo-dev 2009-02-23 20:40:27 UTC
The wesnoth upstream reported that python support exposes users to potential security issues.  Here's a link to their mailing list: https://mail.gna.org/public/wesnoth-dev/2009-02/msg00036.html

Python support has been disabled, the packages rev-bumped to force out the change and the old ebuilds with python enabled removed from portage.

Reproducible: Always
Comment 1 Mr. Bones. (RETIRED) gentoo-dev 2009-03-03 20:39:08 UTC
Could be finalized and closed afaict.
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2009-03-05 16:14:44 UTC
*** Bug 261282 has been marked as a duplicate of this bug. ***
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-03-05 16:56:15 UTC
CVE-2009-0367 is fixed in 1.5.11, according to http://www.wesnoth.org/forum/viewtopic.php?t=24247

before closing, we need to investigate attack vectors and impact for a rating and decide on a GLSA.
Comment 4 Mr. Bones. (RETIRED) gentoo-dev 2009-03-11 15:19:35 UTC
I vote yes on a GLSA fwiw.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-14 14:34:02 UTC
CVE-2009-0878 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0878):
  The read_game_map function in src/terrain_translation.cpp in Wesnoth
  before r32987 allows remote attackers to cause a denial of service
  (memory consumption and daemon hang) via a map with a large (1) width
  or (2) height.

Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-14 14:34:57 UTC
Sorry, wrong bug nr for CVE...
Comment 7 Mr. Bones. (RETIRED) gentoo-dev 2009-06-02 00:33:35 UTC
This bug can be closed out
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:52:30 UTC
game crash, I vote NO.
Comment 9 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-10 12:23:01 UTC
NO, too. Closing.