[wesnoth] 01/01: Pull af61f9fd from upstream to fix Private file disclosure through get_wml_location() (CVE-2015-0844)
This is an automated email from the git hooks/post-receive script. rhonda pushed a commit to branch wheezy in repository wesnoth. commit 2b2090f9f60bbe3bbd477e142958073f009aa083 Author: Rhonda D'Vine rho...@debian.org Date: Wed Apr 8 11:06:41 2015 +0200 Pull af61f9fd from upstream to fix Private file disclosure through get_wml_location() (CVE-2015-0844) --- debian/changelog | 7 +++ debian/control | 2 +- debian/control.in | 2 +- .../af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch | 53 ++ debian/patches/series | 1 + 5 files changed, 63 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 755abc3..a1c3985 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +wesnoth-1.10 (1:1.10.3-3+deb7u1) wheezy-security; urgency=high + + * Pull af61f9fd from upstream to fix Private file disclosure through +get_wml_location() (CVE-2015-0844) + + -- Rhonda D'Vine rho...@debian.org Wed, 08 Apr 2015 11:05:06 +0200 + wesnoth-1.10 (1:1.10.3-3) unstable; urgency=low * Team upload. diff --git a/debian/control b/debian/control index bd8403b..cb34250 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: debhelper (= 7), libsdl-image1.2-dev, libfreetype6-dev, libboost-program-options-dev, libpango1.0-dev, cmake (= 2.6) Standards-Version: 3.9.3 -Uploaders: Gerfried Fuchs rho...@debian.org +Uploaders: Rhonda D'Vine rho...@debian.org Homepage: http://wesnoth.org/ Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary diff --git a/debian/control.in b/debian/control.in index e9ae495..548d6cf 100644 --- a/debian/control.in +++ b/debian/control.in @@ -10,7 +10,7 @@ Build-Depends: debhelper (= 7), libsdl-image1.2-dev, libfreetype6-dev, libboost-program-options-dev, libpango1.0-dev, cmake (= 2.6) Standards-Version: 3.9.3 -Uploaders: Gerfried Fuchs rho...@debian.org +Uploaders: Rhonda D'Vine rho...@debian.org Homepage: http://wesnoth.org/ Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary diff --git a/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch new file mode 100644 index 000..30f58a3 --- /dev/null +++ b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch @@ -0,0 +1,53 @@ +From af61f9fdd15cd439da9e2fe5fa39d174c923eaae Mon Sep 17 00:00:00 2001 +From: Ignacio R. Morelle shad...@wesnoth.org +Date: Fri, 16 May 2014 01:45:18 -0400 +Subject: [PATCH] fs: Use game data path to resolve ./ in the absence of a + current_dir + +Fixes a file content disclosure bug (#22042) affecting functionality +relying on the get_wml_location() function and not passing a non-empty +value for the current_dir parameter. + +See https://gna.org/bugs/?22042 for details. + +This is a candidate for the 1.10 and 1.12 branches. + +(Backported from master, commit 314425ab0e57b32909d324f7d4bf213d62cbd3b5.) +--- + changelog | 1 + + src/filesystem.cpp | 14 -- + 2 files changed, 13 insertions(+), 2 deletions(-) + +--- a/src/filesystem.cpp b/src/filesystem.cpp +@@ -1169,8 +1169,18 @@ + else if (filename.size() = 2 filename[0] == '.' filename[1] == '/') + { + // If the filename begins with a ./, look in the same directory +- // as the file currrently being preprocessed. +- result = current_dir + filename.substr(2); ++ // as the file currently being preprocessed. ++ ++ if (!current_dir.empty()) ++ { ++ result = current_dir; ++ } ++ else ++ { ++ result = game_config::path; ++ } ++ ++ result += filename.substr(2); + } + else if (!game_config::path.empty()) + result = game_config::path + /data/ + filename; +--- a/changelog b/changelog +@@ -47,6 +47,7 @@ +* Added shroud_data to the inspection window (FR #19623). +* Fixed: Wrong current side number after side turns (bug #19735) + It also affected the lua field wesnoth.current.side ++ * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs + + Version 1.10.2: + * Campaigns: diff --git a/debian/patches/series b/debian/patches/series index 57b6465..9b0fc18 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 02wesnoth-nolog-desktop-file 03wesnothd-name +af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/wesnoth.git ___ Pkg-games-commits mailing list
[wesnoth] 01/01: Pull af61f9fd from upstream to fix Private file disclosure through get_wml_location() (CVE-2015-0844)
This is an automated email from the git hooks/post-receive script. rhonda pushed a commit to branch jessie in repository wesnoth. commit c54978a434ae461a4d60706de79e31fa4fdd2b63 Author: Rhonda D'Vine rho...@debian.org Date: Wed Apr 8 11:30:45 2015 +0200 Pull af61f9fd from upstream to fix Private file disclosure through get_wml_location() (CVE-2015-0844) --- debian/changelog | 7 +++ debian/control | 2 +- debian/control.in | 2 +- .../af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch | 53 ++ debian/patches/series | 1 + 5 files changed, 63 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index a05ad6f..94c23e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +wesnoth-1.10 (1:1.10.7-2) unstable; urgency=high + + * Pull af61f9fd from upstream to fix Private file disclosure through +get_wml_location() (CVE-2015-0844) + + -- Rhonda D'Vine rho...@debian.org Wed, 08 Apr 2015 11:05:06 +0200 + wesnoth-1.10 (1:1.10.7-1) unstable; urgency=low * New upstream stable release. diff --git a/debian/control b/debian/control index d60ef6f..c087f39 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: debhelper (= 7), libsdl-image1.2-dev, libfreetype6-dev, libboost-program-options-dev, libpango1.0-dev, cmake (= 2.6) Standards-Version: 3.9.4 -Uploaders: Gerfried Fuchs rho...@debian.org, +Uploaders: Rhonda D'Vine rho...@debian.org, Vincent Cheng vincentc1...@gmail.com Homepage: http://wesnoth.org/ Vcs-Git: git://anonscm.debian.org/pkg-games/wesnoth.git diff --git a/debian/control.in b/debian/control.in index 19aff1b..645856b 100644 --- a/debian/control.in +++ b/debian/control.in @@ -10,7 +10,7 @@ Build-Depends: debhelper (= 7), libsdl-image1.2-dev, libfreetype6-dev, libboost-program-options-dev, libpango1.0-dev, cmake (= 2.6) Standards-Version: 3.9.4 -Uploaders: Gerfried Fuchs rho...@debian.org, +Uploaders: Rhonda D'Vine rho...@debian.org, Vincent Cheng vincentc1...@gmail.com Homepage: http://wesnoth.org/ Vcs-Git: git://anonscm.debian.org/pkg-games/wesnoth.git diff --git a/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch new file mode 100644 index 000..6235cda --- /dev/null +++ b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch @@ -0,0 +1,53 @@ +From af61f9fdd15cd439da9e2fe5fa39d174c923eaae Mon Sep 17 00:00:00 2001 +From: Ignacio R. Morelle shad...@wesnoth.org +Date: Fri, 16 May 2014 01:45:18 -0400 +Subject: [PATCH] fs: Use game data path to resolve ./ in the absence of a + current_dir + +Fixes a file content disclosure bug (#22042) affecting functionality +relying on the get_wml_location() function and not passing a non-empty +value for the current_dir parameter. + +See https://gna.org/bugs/?22042 for details. + +This is a candidate for the 1.10 and 1.12 branches. + +(Backported from master, commit 314425ab0e57b32909d324f7d4bf213d62cbd3b5.) +--- + changelog | 1 + + src/filesystem.cpp | 14 -- + 2 files changed, 13 insertions(+), 2 deletions(-) + +--- a/src/filesystem.cpp b/src/filesystem.cpp +@@ -1170,8 +1170,18 @@ + else if (filename.size() = 2 filename[0] == '.' filename[1] == '/') + { + // If the filename begins with a ./, look in the same directory +- // as the file currrently being preprocessed. +- result = current_dir + filename.substr(2); ++ // as the file currently being preprocessed. ++ ++ if (!current_dir.empty()) ++ { ++ result = current_dir; ++ } ++ else ++ { ++ result = game_config::path; ++ } ++ ++ result += filename.substr(2); + } + else if (!game_config::path.empty()) + result = game_config::path + /data/ + filename; +--- a/changelog b/changelog +@@ -29,6 +29,7 @@ + replays). +* Backported several bugfixes for wmllint (Windows-unfriendliness on the + command line, unusual crashers, underscores stripped from keys). ++ * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs + + Version 1.10.6: + * Campaigns: diff --git a/debian/patches/series b/debian/patches/series index 57b6465..9b0fc18 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 02wesnoth-nolog-desktop-file 03wesnothd-name +af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/wesnoth.git ___ Pkg-games-commits mailing list Pkg-games-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-games-commits