Bug#790940: wheezy-pu: package wesnoth-1.10/1:1.10.3-3+deb7u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#790940: wheezy-pu: package wesnoth-1.10/1:1.10.3-3+deb7u2
From: Vincent Cheng <vcheng@debian.org>
Date: Fri, 3 Jul 2015 01:33:25 -0700
Message-id: <[🔎] CACZd_tCayWzc4v62EcLpXuHWbBAPT6tigeZzi4VHRZYxCReg-w@mail.gmail.com>
Reply-to: Vincent Cheng <vcheng@debian.org>, 790940@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: wheezy
Severity: normal
X-Debbugs-CC: rhonda@debian.org

Hi,

I'd like to upload wesnoth-1.10/1:1.10.3-3+deb7u2 to wheezy-pu to fix
CVE-2015-5069 and CVE-2015-5070 (these CVEs are marked no-dsa in the
security tracker and the security team has asked me to get these CVEs
fixed via a point update instead). These CVEs have already been fixed
in sid as of wesnoth-1.12/1:1.12.4-1. Debdiff below, thanks!

Regards,
Vincent


diff -Nru wesnoth-1.10-1.10.3/debian/changelog
wesnoth-1.10-1.10.3/debian/changelog
--- wesnoth-1.10-1.10.3/debian/changelog 2015-04-09 07:00:48.000000000 -0700
+++ wesnoth-1.10-1.10.3/debian/changelog 2015-07-01 13:51:32.000000000 -0700
@@ -1,3 +1,10 @@
+wesnoth-1.10 (1:1.10.3-3+deb7u2) wheezy; urgency=medium
+
+  * Security fix: Disallowed inclusion of .pbl files from WML, independent of
+    extension case (CVE-2015-5069, CVE-2015-5070).
+
+ -- Vincent Cheng <vcheng@debian.org>  Wed, 01 Jul 2015 13:30:12 -0700
+
 wesnoth-1.10 (1:1.10.3-3+deb7u1) wheezy-security; urgency=high

   * Pull af61f9fd from upstream to fix "Private file disclosure through
diff -Nru wesnoth-1.10-1.10.3/debian/patches/CVE-2015-5069-CVE-2015-5070.patch
wesnoth-1.10-1.10.3/debian/patches/CVE-2015-5069-CVE-2015-5070.patch
--- wesnoth-1.10-1.10.3/debian/patches/CVE-2015-5069-CVE-2015-5070.patch
1969-12-31 16:00:00.000000000 -0800
+++ wesnoth-1.10-1.10.3/debian/patches/CVE-2015-5069-CVE-2015-5070.patch
2015-07-01 13:32:55.000000000 -0700
@@ -0,0 +1,23 @@
+Description: Disallowed inclusion of .pbl files from WML, independent of
+ extension case (CVE-2015-5069, CVE-2015-5070).
+Origin: upstream, commits 055fea16479a755d6744a52f78f63548b692c440
+ and d20f8015bc3653a10d6d4dfd751e62651d1180b7
+Bug: https://gna.org/bugs/?23504
+Last-Update: 2015-07-01
+
+diff --git a/src/filesystem.cpp b/src/filesystem.cpp
+index 7b4bd95..510da80 100644
+--- a/src/filesystem.cpp
++++ b/src/filesystem.cpp
+@@ -1157,6 +1157,11 @@ std::string get_wml_location(const std::string
&filename, const std::string &cur
+ return result;
+ }
+
++ if (looks_like_pbl(filename)) {
++ ERR_FS << "Illegal path '" << filename << "' (.pbl files are not
allowed)." << std::endl;
++ return result;
++ }
++
+ bool already_found = false;
+
+ if (filename[0] == '~')
diff -Nru wesnoth-1.10-1.10.3/debian/patches/series
wesnoth-1.10-1.10.3/debian/patches/series
--- wesnoth-1.10-1.10.3/debian/patches/series 2015-04-08
10:14:12.000000000 -0700
+++ wesnoth-1.10-1.10.3/debian/patches/series 2015-07-01
13:51:48.000000000 -0700
@@ -1,3 +1,4 @@
 02wesnoth-nolog-desktop-file
 03wesnothd-name
 af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
+CVE-2015-5069-CVE-2015-5070.patch

Reply to:

Follow-Ups:
- Bug#790940: wheezy-pu: package wesnoth-1.10/1:1.10.3-3+deb7u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#790940: wheezy-pu: package wesnoth-1.10/1:1.10.3-3+deb7u2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#790940: wheezy-pu: package wesnoth-1.10/1:1.10.3-3+deb7u2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#790939: jessie-pu: package wesnoth-1.10/1:1.10.7-2+deb8u1
Next by Date: Processed: block 760849 with 790958
Previous by thread: Processed: Re: Bug#790939: jessie-pu: package wesnoth-1.10/1:1.10.7-2+deb8u1
Next by thread: Bug#790940: wheezy-pu: package wesnoth-1.10/1:1.10.3-3+deb7u2
Index(es):
- Date
- Thread