Bug#912336: pu: package wesnoth-1.12/1:1.12_1.12.6-1+deb9u1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
for fixing CVE-2018-1999023 (see #911950 removal request ...) I propose
the following upload and would like to receive an ACK for uploading the
fixed package.
Find here the corresponding debdiff. It was commited to a dedicated
stretch branch on salsa too:
-> https://salsa.debian.org/games-team/wesnoth/commit/bef5679dd
This corresponds directly to the upstream fix of the issue here:
-> https://github.com/wesnoth/wesnoth/commit/d911268a
Thanks in advance for considering. I'll add this bug number into the
changelog before uploading instead of the removal request one, which
makes more sense. :)
Enjoy,
Rhonda
#v+
diff -Nru wesnoth-1.12-1.12.6/debian/changelog wesnoth-1.12-1.12.6/debian/changelog
--- wesnoth-1.12-1.12.6/debian/changelog 2016-05-21 08:48:55.000000000 +0200
+++ wesnoth-1.12-1.12.6/debian/changelog 2018-10-30 10:53:02.000000000 +0100
@@ -1,3 +1,10 @@
+wesnoth-1.12 (1:1.12.6-1+deb9u1) stretch; urgency=low
+
+ * Security fix: disallow loading lua bytecode via load/dofile
+ (CVE-2018-1999023, closes: #911950)
+
+ -- Rhonda D'Vine <rhonda@debian.org> Tue, 30 Oct 2018 10:53:02 +0100
+
wesnoth-1.12 (1:1.12.6-1) unstable; urgency=medium
* New upstream release.
diff -Nru wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023 wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023
--- wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023 1970-01-01 01:00:00.000000000 +0100
+++ wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023 2018-10-30 10:53:02.000000000 +0100
@@ -0,0 +1,68 @@
+Author: gfgtdf vim:ft=diff:
+Description: disallow loading lua bytecode via load/dofile (CVE-2018-1999023)
+Origin: upstream, https://github.com/wesnoth/wesnoth/commit/d911268
+
+--- a/src/ai/lua/core.cpp
++++ b/src/ai/lua/core.cpp
+@@ -913,7 +913,7 @@
+
+ lua_ai_context* lua_ai_context::create(lua_State *L, char const *code, ai::engine_lua *engine)
+ {
+- int res_ai = luaL_loadstring(L, code);//stack size is now 1 [ -1: ai_context]
++ int res_ai = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t"); // [-1: AI code]
+ if (res_ai)
+ {
+
+@@ -943,7 +943,7 @@
+
+ lua_ai_action_handler* lua_ai_action_handler::create(lua_State *L, char const *code, lua_ai_context &context)
+ {
+- int res = luaL_loadstring(L, code);//stack size is now 1 [ -1: f]
++ int res = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t");//stack size is now 1 [ -1: f]
+ if (res)
+ {
+ char const *m = lua_tostring(L, -1);
+--- a/src/lua/lbaselib.cpp
++++ b/src/lua/lbaselib.cpp
+@@ -310,16 +310,17 @@
+ size_t l;
+ const char *s = lua_tolstring(L, 1, &l);
+ const char *mode = luaL_optstring(L, 3, "bt");
++ (void) mode;
+ int env = (!lua_isnone(L, 4) ? 4 : 0); /* 'env' index or 0 if no 'env' */
+ if (s != NULL) { /* loading a string? */
+ const char *chunkname = luaL_optstring(L, 2, s);
+- status = luaL_loadbufferx(L, s, l, chunkname, mode);
++ status = luaL_loadbufferx(L, s, l, chunkname, "t");
+ }
+ else { /* loading from a reader function */
+ const char *chunkname = luaL_optstring(L, 2, "=(load)");
+ luaL_checktype(L, 1, LUA_TFUNCTION);
+ lua_settop(L, RESERVEDSLOT); /* create reserved slot */
+- status = lua_load(L, generic_reader, NULL, chunkname, mode);
++ status = lua_load(L, generic_reader, NULL, chunkname, "t");
+ }
+ return load_aux(L, status, env);
+ }
+--- a/src/scripting/lua.cpp
++++ b/src/scripting/lua.cpp
+@@ -1052,7 +1052,7 @@
+ //lua uses '@' to know that this is a file (as opposed to a something as opposed to something loaded via loadstring )
+ std::string chunkname = '@' + fname;
+ LOG_LUA << "starting to read from " << fname << "\n";
+- return lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), NULL);
++ return lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), "t");
+ }
+ private:
+ char buff_[LUAL_BUFFERSIZE];
+@@ -4239,7 +4239,9 @@
+ lua_State *L = mState;
+
+ // Compile script into a variadic function.
+- int res = luaL_loadstring(L, prog);
++ // pass 't' to prevent loading bytecode which is unsafe and can be used to escape the sandbox.
++ // todo: maybe allow a 'name' parameter to give better error messages.
++ int res = luaL_loadbufferx(L, prog, strlen(prog), /*name*/ prog, "t");
+ if (res)
+ {
+ char const *m = lua_tostring(L, -1);
diff -Nru wesnoth-1.12-1.12.6/debian/patches/series wesnoth-1.12-1.12.6/debian/patches/series
--- wesnoth-1.12-1.12.6/debian/patches/series 2014-11-24 10:27:24.000000000 +0100
+++ wesnoth-1.12-1.12.6/debian/patches/series 2018-10-30 10:29:29.000000000 +0100
@@ -1,2 +1,3 @@
02wesnoth-nolog-desktop-file
03wesnothd-name
+04CVE-2018-1999023
#v-
Reply to: