[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#782308: marked as done (unblock: wesnoth-1.10/1:1.10.7-2)

Your message dated Fri, 10 Apr 2015 19:38:43 +0100
with message-id <1428691123.14592.6.camel@adam-barratt.org.uk>
and subject line Re: Bug#782308: unblock: wesnoth-1.10/1:1.10.7-2
has caused the Debian Bug report #782308,
regarding unblock: wesnoth-1.10/1:1.10.7-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
782308: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782308
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package wesnoth-1.10

 The update is a security fix for CVE-2015-0844.  The update technicly
only contains the patch to fix the issue.  Find the diff attached.

unblock wesnoth-1.10/1:1.10.7-2

 Thanks in advance,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

diff --git a/debian/changelog b/debian/changelog
index a05ad6f..94c23e3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wesnoth-1.10 (1:1.10.7-2) unstable; urgency=high
+
+  * Pull af61f9fd from upstream to fix "Private file disclosure through
+    get_wml_location()" (CVE-2015-0844)
+
+ -- Rhonda D'Vine <rhonda@debian.org>  Wed, 08 Apr 2015 11:05:06 +0200
+
 wesnoth-1.10 (1:1.10.7-1) unstable; urgency=low
 
   * New upstream stable release.
diff --git a/debian/control b/debian/control
index d60ef6f..c087f39 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 7), libsdl-image1.2-dev, libfreetype6-dev,
   libboost-program-options-dev,
   libpango1.0-dev, cmake (>= 2.6)
 Standards-Version: 3.9.4
-Uploaders: Gerfried Fuchs <rhonda@debian.org>,
+Uploaders: Rhonda D'Vine <rhonda@debian.org>,
   Vincent Cheng <Vincentc1208@gmail.com>
 Homepage: http://wesnoth.org/
 Vcs-Git: git://anonscm.debian.org/pkg-games/wesnoth.git
diff --git a/debian/control.in b/debian/control.in
index 19aff1b..645856b 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 7), libsdl-image1.2-dev, libfreetype6-dev,
   libboost-program-options-dev,
   libpango1.0-dev, cmake (>= 2.6)
 Standards-Version: 3.9.4
-Uploaders: Gerfried Fuchs <rhonda@debian.org>,
+Uploaders: Rhonda D'Vine <rhonda@debian.org>,
   Vincent Cheng <Vincentc1208@gmail.com>
 Homepage: http://wesnoth.org/
 Vcs-Git: git://anonscm.debian.org/pkg-games/wesnoth.git
diff --git a/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
new file mode 100644
index 0000000..6235cda
--- /dev/null
+++ b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
@@ -0,0 +1,53 @@
+From af61f9fdd15cd439da9e2fe5fa39d174c923eaae Mon Sep 17 00:00:00 2001
+From: "Ignacio R. Morelle" <shadowm@wesnoth.org>
+Date: Fri, 16 May 2014 01:45:18 -0400
+Subject: [PATCH] fs: Use game data path to resolve ./ in the absence of a
+ current_dir
+
+Fixes a file content disclosure bug (#22042) affecting functionality
+relying on the get_wml_location() function and not passing a non-empty
+value for the current_dir parameter.
+
+See <https://gna.org/bugs/?22042> for details.
+
+This is a candidate for the 1.10 and 1.12 branches.
+
+(Backported from master, commit 314425ab0e57b32909d324f7d4bf213d62cbd3b5.)
+---
+ changelog          |  1 +
+ src/filesystem.cpp | 14 ++++++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/src/filesystem.cpp
++++ b/src/filesystem.cpp
+@@ -1170,8 +1170,18 @@
+ 	else if (filename.size() >= 2 && filename[0] == '.' && filename[1] == '/')
+ 	{
+ 		// If the filename begins with a "./", look in the same directory
+-		// as the file currrently being preprocessed.
+-		result = current_dir + filename.substr(2);
++		// as the file currently being preprocessed.
++
++		if (!current_dir.empty())
++		{
++			result = current_dir;
++		}
++		else
++		{
++			result = game_config::path;
++		}
++
++		result += filename.substr(2);
+ 	}
+ 	else if (!game_config::path.empty())
+ 		result = game_config::path + "/data/" + filename;
+--- a/changelog
++++ b/changelog
+@@ -29,6 +29,7 @@
+      replays).
+    * Backported several bugfixes for wmllint (Windows-unfriendliness on the
+      command line, unusual crashers, underscores stripped from keys).
++   * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs
+ 
+ Version 1.10.6:
+  * Campaigns:
diff --git a/debian/patches/series b/debian/patches/series
index 57b6465..9b0fc18 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 02wesnoth-nolog-desktop-file
 03wesnothd-name
+af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch

--- End Message ---
--- Begin Message --- 
On Fri, 2015-04-10 at 11:26 +0200, Rhonda D'Vine wrote:
> Please unblock package wesnoth-1.10
> 
>  The update is a security fix for CVE-2015-0844.  The update technicly
> only contains the patch to fix the issue.  Find the diff attached.

Unblocked, thanks.

Regards,

Adam

--- End Message ---
Reply to: