wesnoth exploit allows others to view the content of files on a remote computer

I unchecked the privacy of the bug since it's a known one, and has been mentioned at least at happypenguin.org, secunia and the wesnoth forums. I considered thus that keeping this bug hidden would't contribute anything.

I'm working on this.

I prepared this package:
http://emilio.pozuelo.org/~deb/wesnoth_1.2.8-0ubuntu1.dsc

But Debian has merged our changes, so we can sync their version. The problem is that it's waiting in the NEW queue, so it will take some days.

It's OK, don't worry. I don't really think two days will make or break
a system, as it's a game. Thank you very much for your efforts.

I've requested a sync from Debian in bug #173494 which will address the vulnerability in Hardy.

This is the fix: http://svn.gna.org/viewcvs/wesnoth/branches/1.2/src/serialization/preprocessor.cpp?rev=21904&view=diff&r1=21904&r2=21903&p1=branches/1.2/src/serialization/preprocessor.cpp&p2=/branches/1.2/src/serialization/preprocessor.cpp

This debdiff fixes the Gutsy vulnerability.

This debdiff addresses this bug and bug #158414.

The security updates are available for Gutsy and Feisty at https://launchpad.net/~pochu/+archive

Please, test them and let us know whether they work fine. We need some testing to get them in the security repository. So start the game, and see that things work properly (menus, start a campaign, start multiplayer...).

Thanks in advance,
Emilio

Thanks for preparing these! I've uploaded them to the security queue. They should be published shortly.

wesnoth (1.2.6-1ubuntu2.2) gutsy-security; urgency=low

  * SECURITY UPDATE: Do not allow '../' in file paths. It allowed others
    to view the content of files in the remote computers.
  * debian/patches/CVE-2007-5742: added, taken from upstream SVN r21904.
  * References:
    CVE-2007-5742.
    LP: #172783.

 -- Emilio Pozuelo Monfort <email address hidden> Sun, 02 Dec 2007 21:30:03 +0100

wesnoth (1.2.3-0ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: Fix insecure truncate of a multibyte chat message that
    can lead to invalid utf-8 and throw an uncaught exception. Both wesnoth
    client and server are affected.
  * debian/patches/CVE-2007-3917: added, taken from Debian.
  * References: CVE-2007-3917.
    LP: #158414.

  * SECURITY UPDATE: Do not allow '../' in file paths. It allowed others
    to view the content of files in the remote computers.
  * debian/patches/CVE-2007-5742: added, taken from upstream SVN r21904.
  * References:
    CVE-2007-5742.
    LP: #172783.

 -- Emilio Pozuelo Monfort <email address hidden> Sun, 02 Dec 2007 22:07:37 +0100

1.2.8 has been synced to Hardy.

Edgy and Dapper are still vulnerable.

I'm preparing some fixes for wesnoth regarding https://bugs.edge.launchpad.net/ubuntu/+source/wesnoth/+bug/173881,
you'll find at least for edgy (and hopefully dapper) the fixes inside the debdiffs, as well the latest CVE mentioned in the bug above