[wesnoth] 01/01: Pull af61f9fd from upstream to fix Private file disclosure through get_wml_location() (CVE-2015-0844)
This is an automated email from the git hooks/post-receive script.
rhonda pushed a commit to branch wheezy
in repository wesnoth.
commit 2b2090f9f60bbe3bbd477e142958073f009aa083
Author: Rhonda D'Vine rho...@debian.org
Date: Wed Apr 8 11:06:41 2015 +0200
Pull af61f9fd from upstream to fix Private file disclosure through
get_wml_location() (CVE-2015-0844)
---
debian/changelog | 7 +++
debian/control | 2 +-
debian/control.in | 2 +-
.../af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch | 53 ++
debian/patches/series | 1 +
5 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 755abc3..a1c3985 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wesnoth-1.10 (1:1.10.3-3+deb7u1) wheezy-security; urgency=high
+
+ * Pull af61f9fd from upstream to fix Private file disclosure through
+get_wml_location() (CVE-2015-0844)
+
+ -- Rhonda D'Vine rho...@debian.org Wed, 08 Apr 2015 11:05:06 +0200
+
wesnoth-1.10 (1:1.10.3-3) unstable; urgency=low
* Team upload.
diff --git a/debian/control b/debian/control
index bd8403b..cb34250 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends: debhelper (= 7), libsdl-image1.2-dev,
libfreetype6-dev,
libboost-program-options-dev,
libpango1.0-dev, cmake (= 2.6)
Standards-Version: 3.9.3
-Uploaders: Gerfried Fuchs rho...@debian.org
+Uploaders: Rhonda D'Vine rho...@debian.org
Homepage: http://wesnoth.org/
Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git
Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary
diff --git a/debian/control.in b/debian/control.in
index e9ae495..548d6cf 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -10,7 +10,7 @@ Build-Depends: debhelper (= 7), libsdl-image1.2-dev,
libfreetype6-dev,
libboost-program-options-dev,
libpango1.0-dev, cmake (= 2.6)
Standards-Version: 3.9.3
-Uploaders: Gerfried Fuchs rho...@debian.org
+Uploaders: Rhonda D'Vine rho...@debian.org
Homepage: http://wesnoth.org/
Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git
Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary
diff --git a/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
new file mode 100644
index 000..30f58a3
--- /dev/null
+++ b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
@@ -0,0 +1,53 @@
+From af61f9fdd15cd439da9e2fe5fa39d174c923eaae Mon Sep 17 00:00:00 2001
+From: Ignacio R. Morelle shad...@wesnoth.org
+Date: Fri, 16 May 2014 01:45:18 -0400
+Subject: [PATCH] fs: Use game data path to resolve ./ in the absence of a
+ current_dir
+
+Fixes a file content disclosure bug (#22042) affecting functionality
+relying on the get_wml_location() function and not passing a non-empty
+value for the current_dir parameter.
+
+See https://gna.org/bugs/?22042 for details.
+
+This is a candidate for the 1.10 and 1.12 branches.
+
+(Backported from master, commit 314425ab0e57b32909d324f7d4bf213d62cbd3b5.)
+---
+ changelog | 1 +
+ src/filesystem.cpp | 14 --
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/src/filesystem.cpp
b/src/filesystem.cpp
+@@ -1169,8 +1169,18 @@
+ else if (filename.size() = 2 filename[0] == '.' filename[1] ==
'/')
+ {
+ // If the filename begins with a ./, look in the same
directory
+- // as the file currrently being preprocessed.
+- result = current_dir + filename.substr(2);
++ // as the file currently being preprocessed.
++
++ if (!current_dir.empty())
++ {
++ result = current_dir;
++ }
++ else
++ {
++ result = game_config::path;
++ }
++
++ result += filename.substr(2);
+ }
+ else if (!game_config::path.empty())
+ result = game_config::path + /data/ + filename;
+--- a/changelog
b/changelog
+@@ -47,6 +47,7 @@
+* Added shroud_data to the inspection window (FR #19623).
+* Fixed: Wrong current side number after side turns (bug #19735)
+ It also affected the lua field wesnoth.current.side
++ * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs
+
+ Version 1.10.2:
+ * Campaigns:
diff --git a/debian/patches/series b/debian/patches/series
index 57b6465..9b0fc18 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
02wesnoth-nolog-desktop-file
03wesnothd-name
+af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-games/wesnoth.git
___
Pkg-games-commits mailing list
[wesnoth] 01/01: Pull af61f9fd from upstream to fix Private file disclosure through get_wml_location() (CVE-2015-0844)
This is an automated email from the git hooks/post-receive script.
rhonda pushed a commit to branch jessie
in repository wesnoth.
commit c54978a434ae461a4d60706de79e31fa4fdd2b63
Author: Rhonda D'Vine rho...@debian.org
Date: Wed Apr 8 11:30:45 2015 +0200
Pull af61f9fd from upstream to fix Private file disclosure through
get_wml_location() (CVE-2015-0844)
---
debian/changelog | 7 +++
debian/control | 2 +-
debian/control.in | 2 +-
.../af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch | 53 ++
debian/patches/series | 1 +
5 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index a05ad6f..94c23e3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wesnoth-1.10 (1:1.10.7-2) unstable; urgency=high
+
+ * Pull af61f9fd from upstream to fix Private file disclosure through
+get_wml_location() (CVE-2015-0844)
+
+ -- Rhonda D'Vine rho...@debian.org Wed, 08 Apr 2015 11:05:06 +0200
+
wesnoth-1.10 (1:1.10.7-1) unstable; urgency=low
* New upstream stable release.
diff --git a/debian/control b/debian/control
index d60ef6f..c087f39 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends: debhelper (= 7), libsdl-image1.2-dev,
libfreetype6-dev,
libboost-program-options-dev,
libpango1.0-dev, cmake (= 2.6)
Standards-Version: 3.9.4
-Uploaders: Gerfried Fuchs rho...@debian.org,
+Uploaders: Rhonda D'Vine rho...@debian.org,
Vincent Cheng vincentc1...@gmail.com
Homepage: http://wesnoth.org/
Vcs-Git: git://anonscm.debian.org/pkg-games/wesnoth.git
diff --git a/debian/control.in b/debian/control.in
index 19aff1b..645856b 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -10,7 +10,7 @@ Build-Depends: debhelper (= 7), libsdl-image1.2-dev,
libfreetype6-dev,
libboost-program-options-dev,
libpango1.0-dev, cmake (= 2.6)
Standards-Version: 3.9.4
-Uploaders: Gerfried Fuchs rho...@debian.org,
+Uploaders: Rhonda D'Vine rho...@debian.org,
Vincent Cheng vincentc1...@gmail.com
Homepage: http://wesnoth.org/
Vcs-Git: git://anonscm.debian.org/pkg-games/wesnoth.git
diff --git a/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
new file mode 100644
index 000..6235cda
--- /dev/null
+++ b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
@@ -0,0 +1,53 @@
+From af61f9fdd15cd439da9e2fe5fa39d174c923eaae Mon Sep 17 00:00:00 2001
+From: Ignacio R. Morelle shad...@wesnoth.org
+Date: Fri, 16 May 2014 01:45:18 -0400
+Subject: [PATCH] fs: Use game data path to resolve ./ in the absence of a
+ current_dir
+
+Fixes a file content disclosure bug (#22042) affecting functionality
+relying on the get_wml_location() function and not passing a non-empty
+value for the current_dir parameter.
+
+See https://gna.org/bugs/?22042 for details.
+
+This is a candidate for the 1.10 and 1.12 branches.
+
+(Backported from master, commit 314425ab0e57b32909d324f7d4bf213d62cbd3b5.)
+---
+ changelog | 1 +
+ src/filesystem.cpp | 14 --
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/src/filesystem.cpp
b/src/filesystem.cpp
+@@ -1170,8 +1170,18 @@
+ else if (filename.size() = 2 filename[0] == '.' filename[1] ==
'/')
+ {
+ // If the filename begins with a ./, look in the same
directory
+- // as the file currrently being preprocessed.
+- result = current_dir + filename.substr(2);
++ // as the file currently being preprocessed.
++
++ if (!current_dir.empty())
++ {
++ result = current_dir;
++ }
++ else
++ {
++ result = game_config::path;
++ }
++
++ result += filename.substr(2);
+ }
+ else if (!game_config::path.empty())
+ result = game_config::path + /data/ + filename;
+--- a/changelog
b/changelog
+@@ -29,6 +29,7 @@
+ replays).
+* Backported several bugfixes for wmllint (Windows-unfriendliness on the
+ command line, unusual crashers, underscores stripped from keys).
++ * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs
+
+ Version 1.10.6:
+ * Campaigns:
diff --git a/debian/patches/series b/debian/patches/series
index 57b6465..9b0fc18 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
02wesnoth-nolog-desktop-file
03wesnothd-name
+af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-games/wesnoth.git
___
Pkg-games-commits mailing list
Pkg-games-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-games-commits
