Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi, for fixing CVE-2018-1999023 (see #911950 removal request ...) I propose the following upload and would like to receive an ACK for uploading the fixed package. Find here the corresponding debdiff. It was commited to a dedicated stretch branch on salsa too: -> https://salsa.debian.org/games-team/wesnoth/commit/bef5679dd This corresponds directly to the upstream fix of the issue here: -> https://github.com/wesnoth/wesnoth/commit/d911268a Thanks in advance for considering. I'll add this bug number into the changelog before uploading instead of the removal request one, which makes more sense. :) Enjoy, Rhonda #v+ diff -Nru wesnoth-1.12-1.12.6/debian/changelog wesnoth-1.12-1.12.6/debian/changelog --- wesnoth-1.12-1.12.6/debian/changelog 2016-05-21 08:48:55.000000000 +0200 +++ wesnoth-1.12-1.12.6/debian/changelog 2018-10-30 10:53:02.000000000 +0100 @@ -1,3 +1,10 @@ +wesnoth-1.12 (1:1.12.6-1+deb9u1) stretch; urgency=low + + * Security fix: disallow loading lua bytecode via load/dofile + (CVE-2018-1999023, closes: #911950) + + -- Rhonda D'Vine <rho...@debian.org> Tue, 30 Oct 2018 10:53:02 +0100 + wesnoth-1.12 (1:1.12.6-1) unstable; urgency=medium * New upstream release. diff -Nru wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023 wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023 --- wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023 1970-01-01 01:00:00.000000000 +0100 +++ wesnoth-1.12-1.12.6/debian/patches/04CVE-2018-1999023 2018-10-30 10:53:02.000000000 +0100 @@ -0,0 +1,68 @@ +Author: gfgtdf vim:ft=diff: +Description: disallow loading lua bytecode via load/dofile (CVE-2018-1999023) +Origin: upstream, https://github.com/wesnoth/wesnoth/commit/d911268 + +--- a/src/ai/lua/core.cpp ++++ b/src/ai/lua/core.cpp +@@ -913,7 +913,7 @@ + + lua_ai_context* lua_ai_context::create(lua_State *L, char const *code, ai::engine_lua *engine) + { +- int res_ai = luaL_loadstring(L, code);//stack size is now 1 [ -1: ai_context] ++ int res_ai = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t"); // [-1: AI code] + if (res_ai) + { + +@@ -943,7 +943,7 @@ + + lua_ai_action_handler* lua_ai_action_handler::create(lua_State *L, char const *code, lua_ai_context &context) + { +- int res = luaL_loadstring(L, code);//stack size is now 1 [ -1: f] ++ int res = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t");//stack size is now 1 [ -1: f] + if (res) + { + char const *m = lua_tostring(L, -1); +--- a/src/lua/lbaselib.cpp ++++ b/src/lua/lbaselib.cpp +@@ -310,16 +310,17 @@ + size_t l; + const char *s = lua_tolstring(L, 1, &l); + const char *mode = luaL_optstring(L, 3, "bt"); ++ (void) mode; + int env = (!lua_isnone(L, 4) ? 4 : 0); /* 'env' index or 0 if no 'env' */ + if (s != NULL) { /* loading a string? */ + const char *chunkname = luaL_optstring(L, 2, s); +- status = luaL_loadbufferx(L, s, l, chunkname, mode); ++ status = luaL_loadbufferx(L, s, l, chunkname, "t"); + } + else { /* loading from a reader function */ + const char *chunkname = luaL_optstring(L, 2, "=(load)"); + luaL_checktype(L, 1, LUA_TFUNCTION); + lua_settop(L, RESERVEDSLOT); /* create reserved slot */ +- status = lua_load(L, generic_reader, NULL, chunkname, mode); ++ status = lua_load(L, generic_reader, NULL, chunkname, "t"); + } + return load_aux(L, status, env); + } +--- a/src/scripting/lua.cpp ++++ b/src/scripting/lua.cpp +@@ -1052,7 +1052,7 @@ + //lua uses '@' to know that this is a file (as opposed to a something as opposed to something loaded via loadstring ) + std::string chunkname = '@' + fname; + LOG_LUA << "starting to read from " << fname << "\n"; +- return lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), NULL); ++ return lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), "t"); + } + private: + char buff_[LUAL_BUFFERSIZE]; +@@ -4239,7 +4239,9 @@ + lua_State *L = mState; + + // Compile script into a variadic function. +- int res = luaL_loadstring(L, prog); ++ // pass 't' to prevent loading bytecode which is unsafe and can be used to escape the sandbox. ++ // todo: maybe allow a 'name' parameter to give better error messages. ++ int res = luaL_loadbufferx(L, prog, strlen(prog), /*name*/ prog, "t"); + if (res) + { + char const *m = lua_tostring(L, -1); diff -Nru wesnoth-1.12-1.12.6/debian/patches/series wesnoth-1.12-1.12.6/debian/patches/series --- wesnoth-1.12-1.12.6/debian/patches/series 2014-11-24 10:27:24.000000000 +0100 +++ wesnoth-1.12-1.12.6/debian/patches/series 2018-10-30 10:29:29.000000000 +0100 @@ -1,2 +1,3 @@ 02wesnoth-nolog-desktop-file 03wesnothd-name +04CVE-2018-1999023 #v-