Re: wesnoth CVE-2007-6201 update for stable & oldstable
* Luk Claes <luk@debian.org> [2007-12-09 17:34:00 CET]:
> Sorry for the rather late reply.
No big deal, it's not like there was a point release in between. ;)
> Gerfried Fuchs wrote:
> > The update for CVE-2007-6201[1] was blocked by security team because it
> > just ends up in a 100% CPU consumption and constant stdout filling with
> > repeated "y" and thus not having any real security issue attached to it.
> >
> > Would you accept an upload of wesnoth both to stable-proposed-updates
> > and oldstable-proposed-updates with the fix[2] for it?
>
> > [1] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6201>
> > [2] svn diff -c21907 http://svn.gna.org/svn/wesnoth/
>
> Can you please give a pointer to the actual patch?
I thought [2] would had been pointer enough to the actual patch, but I
guess it wasn't clear enough that there is nothing more to it than there
is in there, besides that the first chunk of the diff is in a different
filename, but the context is completely the same.
I've prepared interdiffs for both oldstable and stable, based upon the
security update, find them attached.
So long, and sorry for the confusion, Luk.
Rhonda
diff -u wesnoth-0.9.0/debian/changelog wesnoth-0.9.0/debian/changelog
--- wesnoth-0.9.0/debian/changelog
+++ wesnoth-0.9.0/debian/changelog
@@ -1,3 +1,11 @@
+wesnoth (0.9.0-8) oldstable; urgency=low
+
+ * Remove WML turn_cmd which can lead to forking yes and through that 100%
+ CPU usage and stdout filling [CVE-2007-6201]. Patch 05_CVE-2007-6201 was
+ pulled from upstream svn (revision 21907).
+
+ -- Gerfried Fuchs <rhonda@debian.at> Mon, 10 Dec 2007 15:21:56 +0100
+
wesnoth (0.9.0-7) oldstable-security; urgency=medium
* Ignore filenames that contain .. to not send arbitrary files around in
only in patch2:
unchanged:
--- wesnoth-0.9.0.orig/debian/patches/05_CVE-2007-6201.dpatch
+++ wesnoth-0.9.0/debian/patches/05_CVE-2007-6201.dpatch
@@ -0,0 +1,55 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 05_CVE-2007-6201.dpatch by Gerfried Fuchs <rhonda@debian.at>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: remove turn_cmd
+
+@DPATCH@
+diff -urNad wesnoth-0.9.0~/src/playturn.cpp wesnoth-0.9.0/src/playturn.cpp
+--- wesnoth-0.9.0~/src/playturn.cpp 2005-04-10 13:53:15.000000000 +0200
++++ wesnoth-0.9.0/src/playturn.cpp 2007-12-10 15:34:18.000000000 +0100
+@@ -87,11 +87,6 @@
+ gui::show_dialog(gui,NULL,"",_("It is now your turn"),gui::MESSAGE);
+ }
+
+- const std::string& turn_cmd = preferences::turn_cmd();
+- if(turn_cmd.empty() == false) {
+- system(turn_cmd.c_str());
+- }
+-
+ turn_info turn_data(gameinfo,state_of_game,status,terrain_config,level,
+ key,gui,map,teams,team_num,units,turn_info::PLAY_TURN,textbox,network_sender);
+
+diff -urNad wesnoth-0.9.0~/src/preferences.cpp wesnoth-0.9.0/src/preferences.cpp
+--- wesnoth-0.9.0~/src/preferences.cpp 2005-04-06 23:25:11.000000000 +0200
++++ wesnoth-0.9.0/src/preferences.cpp 2007-12-10 15:33:17.000000000 +0100
+@@ -444,16 +444,6 @@
+ prefs["turn_bell"] = (ison ? "yes" : "no");
+ }
+
+-const std::string& turn_cmd()
+-{
+- return prefs["turn_cmd"];
+-}
+-
+-void set_turn_cmd(const std::string& cmd)
+-{
+- prefs["turn_cmd"] = cmd;
+-}
+-
+ bool message_bell()
+ {
+ return prefs["message_bell"] != "no";
+diff -urNad wesnoth-0.9.0~/src/preferences.hpp wesnoth-0.9.0/src/preferences.hpp
+--- wesnoth-0.9.0~/src/preferences.hpp 2005-04-04 00:02:42.000000000 +0200
++++ wesnoth-0.9.0/src/preferences.hpp 2007-12-10 15:33:41.000000000 +0100
+@@ -93,9 +93,6 @@
+ bool message_bell();
+ void set_message_bell(bool ison);
+
+- const std::string& turn_cmd();
+- void set_turn_cmd(const std::string& cmd);
+-
+ bool turn_dialog();
+ void set_turn_dialog(bool ison);
+
diff -u wesnoth-1.2/debian/changelog wesnoth-1.2/debian/changelog
--- wesnoth-1.2/debian/changelog
+++ wesnoth-1.2/debian/changelog
@@ -1,3 +1,11 @@
+wesnoth (1.2-4) stable; urgency=low
+
+ * Remove WML turn_cmd which can lead to forking yes and through that 100%
+ CPU usage and stdout filling [CVE-2007-6201]. Patch CVE-2007-6201 was
+ pulled from upstream svn (revision 21907).
+
+ -- Gerfried Fuchs <rhonda@debian.at> Mon, 10 Dec 2007 16:02:21 +0100
+
wesnoth (1.2-3) stable-security; urgency=medium
* Ignore filenames that contain .. to not send arbitrary files around in
only in patch2:
unchanged:
--- wesnoth-1.2.orig/debian/patches/CVE-2007-6201.patch
+++ wesnoth-1.2/debian/patches/CVE-2007-6201.patch
@@ -0,0 +1,48 @@
+diff -Nur wesnoth-1.2/src/playsingle_controller.cpp wesnoth-1.2.new/src/playsingle_controller.cpp
+--- wesnoth-1.2/src/playsingle_controller.cpp 2006-12-20 03:18:35.000000000 +0100
++++ wesnoth-1.2.new/src/playsingle_controller.cpp 2007-12-10 16:11:40.000000000 +0100
+@@ -477,11 +477,6 @@
+ gui::show_dialog(*gui_,NULL,"",_("It is now your turn"),gui::MESSAGE);
+ }
+
+- const std::string& turn_cmd = preferences::turn_cmd();
+- if(turn_cmd.empty() == false) {
+- system(turn_cmd.c_str());
+- }
+-
+ //execute gotos - first collect gotos in a list
+ std::vector<gamemap::location> gotos;
+
+diff -Nur wesnoth-1.2/src/preferences.cpp wesnoth-1.2.new/src/preferences.cpp
+--- wesnoth-1.2/src/preferences.cpp 2006-10-26 12:22:11.000000000 +0200
++++ wesnoth-1.2.new/src/preferences.cpp 2007-12-10 16:11:51.000000000 +0100
+@@ -351,16 +351,6 @@
+ prefs["turn_bell"] = (ison ? "yes" : "no");
+ }
+
+-const std::string& turn_cmd()
+-{
+- return prefs["turn_cmd"];
+-}
+-
+-void set_turn_cmd(const std::string& cmd)
+-{
+- prefs["turn_cmd"] = cmd;
+-}
+-
+ bool message_bell()
+ {
+ return prefs["message_bell"] != "no";
+diff -Nur wesnoth-1.2/src/preferences.hpp wesnoth-1.2.new/src/preferences.hpp
+--- wesnoth-1.2/src/preferences.hpp 2006-10-26 12:22:11.000000000 +0200
++++ wesnoth-1.2.new/src/preferences.hpp 2007-12-10 16:12:02.000000000 +0100
+@@ -109,9 +109,6 @@
+ bool message_bell();
+ void set_message_bell(bool ison);
+
+- const std::string& turn_cmd();
+- void set_turn_cmd(const std::string& cmd);
+-
+ bool turn_dialog();
+ void set_turn_dialog(bool ison);
+
Reply to: