[SECURITY] [DLA 297-1] wesnoth-1.8 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 297-1] wesnoth-1.8 security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sat, 22 Aug 2015 11:19:10 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1508221117410.8748@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : wesnoth-1.8
Version        : 1:1.8.5-1+deb6u2
CVE ID         : CVE-2015-5069 CVE-2015-5070

 Wesnoth implements a text preprocessing language that is used in
 conjunction with its own game scripting language. It also has a
 built-in Lua interpreter and API.
 Both the Lua API and the preprocessor make use of the same function
 (filesystem::get_wml_location()) to resolve file paths so that only
 content from the user's data directory can be read.

 However, the function did not explicitly disallow files with the .pbl
 extension. The contents of these files could thus be stored in saved
 game files or even transmitted directly to other users in a networked
 game. Among the information that's compromised is a user-defined
 passphrase used to authenticate uploads to the game's content server.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJV2D6OXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHcFQP+gM3c5Mh22o4P35c2optotfd
W5FUURUPjkH2IS4dTZMH3HatAmR61fngDUFkokY5/Ubt0fQhqXdu7wUaqiPPrHQG
DTGA11bWt+CjgNVVs790AVNz16gTtblIsQxukl4XkQ2sr5r3oEJWRTkhVhUMWsCb
mf+ahiGau56RTSGDQuANrfqZ9m/wuU5pTtflzct7xpvef/GYhnVKv3pHx6ebheYr
11fXCvzXvO6S9CKUjjpuD59Hxm83JL5SsI2VAcuY19J40cSXPksyJFHlXAPc+41u
ByWvZa0ulNMmRMI3p3GZIq3zzDA0ut0r5qTZO0YqipVAqpV9IOod7fclQqd9MjUZ
Uhz658ELXRUAHtLlqIkEiYpnUmrqFi3bUVBveJjK60JGAvmwcTs5LPagMBoO8Ld/
3FjHt1lC4oB0rFFSsDDS2LX3MS4ACvejuIZAt2t4GC1pP8fpaHcxMU0it07EEK8q
jHKFlR8aaL6fDxrwZNoZTIAPku+YsjH62SxBoRSb3E7W4fls5t2iFBy6/oRBzzia
4jf7b+ZaM1kl22rSjhtCxMuptwXlOVgKa8JHRZ2LickHCh7pAcxfUmMgy1W60H/X
dKagaonPYO650R/mWpjuL47Tbuh+WdheLNa1zUo8ubZGqsy39jg/fSMhddXEtbpU
1dRnrcrW4iut7Em8ctts
=TfpZ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 296-1] extplorer security update
Next by Date: [SECURITY] [DLA 298-1] roundup security update
Previous by thread: [SECURITY] [DLA 296-1] extplorer security update
Next by thread: [SECURITY] [DLA 298-1] roundup security update
Index(es):
- Date
- Thread