260058 – (CVE-2009-0366) <games-strategy/wesnoth-1.4.7-r1 Python security issue (CVE-2009-{0366,0367})

Bug 260058 (CVE-2009-0366) - <games-strategy/wesnoth-1.4.7-r1 Python security issue (CVE-2009-{0366,0367})

Summary: <games-strategy/wesnoth-1.4.7-r1 Python security issue (CVE-2009-{0366,0367})

Status:	RESOLVED FIXED

Alias:	CVE-2009-0366

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	https://mail.gna.org/public/wesnoth-d...
Whiteboard:	B3 [noglsa]
Keywords:

Duplicates (1):	CVE-2009-0367 (view as bug list)
Depends on:
Blocks:

Reported:	2009-02-23 20:40 UTC by Mr. Bones. (RETIRED)
Modified:	2009-07-10 12:23 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mr. Bones. (RETIRED) gentoo-dev

2009-02-23 20:40:27 UTC

The wesnoth upstream reported that python support exposes users to potential security issues.  Here's a link to their mailing list: https://mail.gna.org/public/wesnoth-dev/2009-02/msg00036.html

Python support has been disabled, the packages rev-bumped to force out the change and the old ebuilds with python enabled removed from portage.

Reproducible: Always

Comment 1 Mr. Bones. (RETIRED) gentoo-dev

2009-03-03 20:39:08 UTC

Could be finalized and closed afaict.

Comment 2 Mr. Bones. (RETIRED) gentoo-dev

2009-03-05 16:14:44 UTC

*** Bug 261282 has been marked as a duplicate of this bug. ***

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2009-03-05 16:56:15 UTC

CVE-2009-0367 is fixed in 1.5.11, according to http://www.wesnoth.org/forum/viewtopic.php?t=24247

before closing, we need to investigate attack vectors and impact for a rating and decide on a GLSA.

Comment 4 Mr. Bones. (RETIRED) gentoo-dev

2009-03-11 15:19:35 UTC

I vote yes on a GLSA fwiw.

Comment 5 Stefan Behte (RETIRED) gentoo-dev

2009-03-14 14:34:02 UTC

CVE-2009-0878 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0878):
  The read_game_map function in src/terrain_translation.cpp in Wesnoth
  before r32987 allows remote attackers to cause a denial of service
  (memory consumption and daemon hang) via a map with a large (1) width
  or (2) height.

Comment 6 Stefan Behte (RETIRED) gentoo-dev

2009-03-14 14:34:57 UTC

Sorry, wrong bug nr for CVE...

Comment 7 Mr. Bones. (RETIRED) gentoo-dev

2009-06-02 00:33:35 UTC

This bug can be closed out

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2009-07-10 10:52:30 UTC

game crash, I vote NO.

Comment 9 Alex Legler (RETIRED) archtester

2009-07-10 12:23:01 UTC

NO, too. Closing.