Bug#912336: pu: package wesnoth-1.12/1:1.12_1.12.6-1+deb9u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#912336: pu: package wesnoth-1.12/1:1.12_1.12.6-1+deb9u1
From: Rhonda D'Vine <rhonda@debian.org>
Date: Tue, 30 Oct 2018 15:29:26 +0100
Message-id: <[🔎] 20181030142926.1593.16966.reportbug@anguilla.debian.or.at>
Reply-to: Rhonda D'Vine <rhonda@debian.org>, 912336@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

     Hi,

 for fixing CVE-2018-1999023 (see #911950 removal request ...) I propose
the following upload and would like to receive an ACK for uploading the
fixed package.

 Find here the corresponding debdiff.  It was commited to a dedicated
stretch branch on salsa too:
-> https://salsa.debian.org/games-team/wesnoth/commit/bef5679dd

 This corresponds directly to the upstream fix of the issue here:
-> https://github.com/wesnoth/wesnoth/commit/d911268a

 Thanks in advance for considering.  I'll add this bug number into the
changelog before uploading instead of the removal request one, which
makes more sense. :)

 Enjoy,
Rhonda


#v+
diff -Nru wesnoth-1.12-1.12.6/debian/changelog wesnoth-1.12-1.12.6/debian/changelog
--- wesnoth-1.12-1.12.6/debian/changelog	2016-05-21 08:48:55.000000000 +0200
+++ wesnoth-1.12-1.12.6/debian/changelog	2018-10-30 10:53:02.000000000 +0100
@@ -1,3 +1,10 @@
+wesnoth-1.12 (1:1.12.6-1+deb9u1) stretch; urgency=low
+
+  * Security fix: disallow loading lua bytecode via load/dofile
+    (CVE-2018-1999023, closes: #911950)
+
+ -- Rhonda D'Vine <rhonda@debian.org>  Tue, 30 Oct 2018 10:53:02 +0100
+
 wesnoth-1.12 (1:1.12.6-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023 wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023
--- wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023	1970-01-01 01:00:00.000000000 +0100
+++ wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023	2018-10-30 10:53:02.000000000 +0100
@@ -0,0 +1,68 @@
+Author: gfgtdf	vim:ft=diff:
+Description: disallow loading lua bytecode via load/dofile (CVE-2018-1999023)
+Origin: upstream, https://github.com/wesnoth/wesnoth/commit/d911268
+
+--- a/src/ai/lua/core.cpp
++++ b/src/ai/lua/core.cpp
+@@ -913,7 +913,7 @@
+ 
+ lua_ai_context* lua_ai_context::create(lua_State *L, char const *code, ai::engine_lua *engine)
+ {
+-	int res_ai = luaL_loadstring(L, code);//stack size is now 1 [ -1: ai_context]
++	int res_ai = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t"); // [-1: AI code]
+ 	if (res_ai)
+ 	{
+ 
+@@ -943,7 +943,7 @@
+ 
+ lua_ai_action_handler* lua_ai_action_handler::create(lua_State *L, char const *code, lua_ai_context &context)
+ {
+-	int res = luaL_loadstring(L, code);//stack size is now 1 [ -1: f]
++	int res = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t");//stack size is now 1 [ -1: f]
+ 	if (res)
+ 	{
+ 		char const *m = lua_tostring(L, -1);
+--- a/src/lua/lbaselib.cpp
++++ b/src/lua/lbaselib.cpp
+@@ -310,16 +310,17 @@
+   size_t l;
+   const char *s = lua_tolstring(L, 1, &l);
+   const char *mode = luaL_optstring(L, 3, "bt");
++  (void) mode;
+   int env = (!lua_isnone(L, 4) ? 4 : 0);  /* 'env' index or 0 if no 'env' */
+   if (s != NULL) {  /* loading a string? */
+     const char *chunkname = luaL_optstring(L, 2, s);
+-    status = luaL_loadbufferx(L, s, l, chunkname, mode);
++    status = luaL_loadbufferx(L, s, l, chunkname, "t");
+   }
+   else {  /* loading from a reader function */
+     const char *chunkname = luaL_optstring(L, 2, "=(load)");
+     luaL_checktype(L, 1, LUA_TFUNCTION);
+     lua_settop(L, RESERVEDSLOT);  /* create reserved slot */
+-    status = lua_load(L, generic_reader, NULL, chunkname, mode);
++    status = lua_load(L, generic_reader, NULL, chunkname, "t");
+   }
+   return load_aux(L, status, env);
+ }
+--- a/src/scripting/lua.cpp
++++ b/src/scripting/lua.cpp
+@@ -1052,7 +1052,7 @@
+ 		//lua uses '@' to know that this is a file (as opposed to a something as opposed to something loaded via loadstring )
+ 		std::string chunkname = '@' + fname;
+ 		LOG_LUA << "starting to read from " << fname << "\n";
+-		return  lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), NULL);
++		return  lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), "t");
+ 	}
+ private:
+ 	char buff_[LUAL_BUFFERSIZE];
+@@ -4239,7 +4239,9 @@
+ 	lua_State *L = mState;
+ 
+ 	// Compile script into a variadic function.
+-	int res = luaL_loadstring(L, prog);
++	// pass 't' to prevent loading bytecode which is unsafe and can be used to escape the sandbox.
++	// todo: maybe allow a 'name' parameter to give better error messages.
++	int res = luaL_loadbufferx(L, prog, strlen(prog), /*name*/ prog, "t");
+ 	if (res)
+ 	{
+ 		char const *m = lua_tostring(L, -1);
diff -Nru wesnoth-1.12-1.12.6/debian/patches/series wesnoth-1.12-1.12.6/debian/patches/series
--- wesnoth-1.12-1.12.6/debian/patches/series	2014-11-24 10:27:24.000000000 +0100
+++ wesnoth-1.12-1.12.6/debian/patches/series	2018-10-30 10:29:29.000000000 +0100
@@ -1,2 +1,3 @@
 02wesnoth-nolog-desktop-file
 03wesnothd-name
+04CVE-2018-1999023
#v-

Reply to:

Follow-Ups:
- Processed: Re: Bug#912336: pu: package wesnoth-1.12/1:1.12_1.12.6-1+deb9u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#912336: pu: package wesnoth-1.12/1:1.12_1.12.6-1+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1
Next by Date: Processed: tagging 912198
Previous by thread: Bug#912194: stretch-pu: package enigmail/2.0.8-5~deb9u1
Next by thread: Processed: Re: Bug#912336: pu: package wesnoth-1.12/1:1.12_1.12.6-1+deb9u1
Index(es):
- Date
- Thread