This is an automated email from the git hooks/post-receive script. rhonda pushed a commit to branch squeeze in repository wesnoth.
commit f17e501c8aca07d623996f930ecb588a4de1f64e Author: Rhonda D'Vine <rho...@debian.org> Date: Fri Apr 17 15:11:05 2015 +0200 Pull af61f9fd from upstream to fix CVE-2015-0844 --- debian/changelog | 7 +++ debian/control | 2 +- debian/control.in | 2 +- .../af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch | 53 ++++++++++++++++++++++ debian/patches/series | 1 + 5 files changed, 63 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 44105d0..4496416 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +wesnoth-1.8 (1:1.8.5-1+deb6u1) squeeze-lts; urgency=high + + * Pull af61f9fd from upstream to fix "Private file disclosure through + get_wml_location()" (CVE-2015-0844) + + -- Rhonda D'Vine <rho...@debian.org> Fri, 17 Apr 2015 14:26:30 +0200 + wesnoth-1.8 (1:1.8.5-1) unstable; urgency=low * New upstream stable release. diff --git a/debian/control b/debian/control index a341bfb..eaa0f81 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 7), quilt, libsdl-image1.2-dev, libfreetype6-dev, libboost-iostreams-dev, libboost-test-dev, libboost-regex-dev, libboost-serialization-dev, libpango1.0-dev, automake, liblua5.1-0-dev Standards-Version: 3.9.1 -Uploaders: Gerfried Fuchs <rho...@debian.at> +Uploaders: Rhonda D'Vine <rho...@debian.org> Homepage: http://wesnoth.org/ Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary diff --git a/debian/control.in b/debian/control.in index 9fa259f..f7fcae8 100644 --- a/debian/control.in +++ b/debian/control.in @@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 7), quilt, libsdl-image1.2-dev, libfreetype6-dev, libboost-iostreams-dev, libboost-test-dev, libboost-regex-dev, libboost-serialization-dev, libpango1.0-dev, automake, liblua5.1-0-dev Standards-Version: 3.9.1 -Uploaders: Gerfried Fuchs <rho...@debian.at> +Uploaders: Rhonda D'Vine <rho...@debian.org> Homepage: http://wesnoth.org/ Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary diff --git a/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch new file mode 100644 index 0000000..e8077db --- /dev/null +++ b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch @@ -0,0 +1,53 @@ +From af61f9fdd15cd439da9e2fe5fa39d174c923eaae Mon Sep 17 00:00:00 2001 +From: "Ignacio R. Morelle" <shad...@wesnoth.org> +Date: Fri, 16 May 2014 01:45:18 -0400 +Subject: [PATCH] fs: Use game data path to resolve ./ in the absence of a + current_dir + +Fixes a file content disclosure bug (#22042) affecting functionality +relying on the get_wml_location() function and not passing a non-empty +value for the current_dir parameter. + +See <https://gna.org/bugs/?22042> for details. + +This is a candidate for the 1.10 and 1.12 branches. + +(Backported from master, commit 314425ab0e57b32909d324f7d4bf213d62cbd3b5.) +--- + changelog | 1 + + src/filesystem.cpp | 14 ++++++++++++-- + 2 files changed, 13 insertions(+), 2 deletions(-) + +--- a/src/filesystem.cpp ++++ b/src/filesystem.cpp +@@ -1063,8 +1063,18 @@ std::string get_wml_location(const std:: + else if (filename.size() >= 2 && filename[0] == '.' && filename[1] == '/') + { + // If the filename begins with a "./", look in the same directory +- // as the file currrently being preprocessed. +- result = current_dir + filename.substr(2); ++ // as the file currently being preprocessed. ++ ++ if (!current_dir.empty()) ++ { ++ result = current_dir; ++ } ++ else ++ { ++ result = game_config::path; ++ } ++ ++ result += filename.substr(2); + } + else if (!game_config::path.empty()) + result = game_config::path + "/data/" + filename; +--- a/changelog ++++ b/changelog +@@ -24,6 +24,7 @@ Version 1.8.5: + * Fix bug #15960 "again", making "Cancel" a separate action and not just + a duplicate of "OK." + * Fix crash when doing teleport+attack to a fogged village ++ * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs + + Version 1.8.4: + * AI: diff --git a/debian/patches/series b/debian/patches/series index 57b6465..9b0fc18 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 02wesnoth-nolog-desktop-file 03wesnothd-name +af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/wesnoth.git _______________________________________________ Pkg-games-commits mailing list Pkg-games-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-games-commits