private file disclosure issue (CVE-2015-0844)

Bug #1445688 reported by Rhonda D'Vine
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
trusty-backports
Undecided
Unassigned
utopic-backports
Undecided
Unassigned
wesnoth-1.10 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned
wesnoth-1.12 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned

Bug Description

See https://www.debian.org/security/2015/dsa-3218

I'm currently in the process of creating the patches, will attach them later. :)

CVE References

Revision history for this message
Rhonda D'Vine (rhonda) wrote :
tags: added: patch
Revision history for this message
Rhonda D'Vine (rhonda) wrote :
Revision history for this message
Rhonda D'Vine (rhonda) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks; I reformatted the changelogs slightly for consistency with our other security updates and so that this bug will be automatically closed when the packages are released; the packages are building now, and I should release them tomorrow if the builds succeed on the build servers.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wesnoth-1.10 - 1:1.10.2-1ubuntu1

---------------
wesnoth-1.10 (1:1.10.2-1ubuntu1) precise-security; urgency=low

  * SECURITY UPDATE: Pull af61f9fd from upstream to fix "Private file
    disclosure through get_wml_location()" (LP: #1445688)
    - CVE-2015-0844
 -- Rhonda D'Vine <email address hidden> Fri, 17 Apr 2015 23:57:16 +0200

Changed in wesnoth-1.10 (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wesnoth-1.10 - 1:1.10.7-1ubuntu0.14.10.1

---------------
wesnoth-1.10 (1:1.10.7-1ubuntu0.14.10.1) utopic-security; urgency=low

  * SECURITY UPDATE: Pull af61f9fd from upstream to fix "Private file
    disclosure through get_wml_location()" (LP: #1445688)
    - CVE-2015-0844
 -- Rhonda D'Vine <email address hidden> Fri, 17 Apr 2015 23:57:16 +0200

Changed in wesnoth-1.10 (Ubuntu Utopic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wesnoth-1.10 - 1:1.10.7-1ubuntu0.14.04.1

---------------
wesnoth-1.10 (1:1.10.7-1ubuntu0.14.04.1) trusty-security; urgency=low

  * SECURITY UPDATE: Pull af61f9fd from upstream to fix "Private file
    disclosure through get_wml_location()" (LP: #1445688)
    - CVE-2015-0844
 -- Rhonda D'Vine <email address hidden> Fri, 17 Apr 2015 23:57:16 +0200

Changed in wesnoth-1.10 (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Rhonda, the fixes are released.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is fixed already in vivid, closing bug.

Changed in wesnoth-1.10 (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in wesnoth-1.12 (Ubuntu Precise):
status: New → Confirmed
Changed in wesnoth-1.12 (Ubuntu Trusty):
status: New → Confirmed
Changed in wesnoth-1.12 (Ubuntu Utopic):
status: New → Confirmed
Changed in wesnoth-1.12 (Ubuntu):
status: New → Confirmed
Revision history for this message
Steve Beattie (sbeattie) wrote :

For wesnoth-1.12, this was fixed with the 1:1.12.2-1 upload, which is both in vivid and wily, closing the tasks there. Precise does not have the package at all. For trusty and utopic, these packages were provided by the ubuntu-backports project https://launchpad.net/ubp ; you'll need to file a request with them to update wesnoth-1.12 (see https://wiki.ubuntu.com/UbuntuBackports for more details on the backports update process).

Changed in wesnoth-1.12 (Ubuntu):
status: Confirmed → Fix Released
Changed in wesnoth-1.12 (Ubuntu Utopic):
status: Confirmed → Fix Released
status: Fix Released → Invalid
Changed in wesnoth-1.12 (Ubuntu Trusty):
status: Confirmed → Invalid
Changed in wesnoth-1.12 (Ubuntu Precise):
status: Confirmed → Invalid
Revision history for this message
anatoly techtonik (techtonik) wrote :

Sorry, this security issue is not fixed for trusty yet.

Changed in wesnoth-1.12 (Ubuntu Trusty):
status: Invalid → New
Revision history for this message
anatoly techtonik (techtonik) wrote :

I don't understand what I need to do on this page https://wiki.ubuntu.com/UbuntuBackports

Revision history for this message
Daniel Holbach (dholbach) wrote :

You might have to file a bug on https://launchpad.net/trusty-backports

Changed in wesnoth-1.12 (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
anatoly techtonik (techtonik) wrote :

@dholbach, but this a lie - https://launchpad.net/ubuntu/+source/wesnoth-1.12 - fix for this package is not released for Trusty. Users are still affected by CVE. You don't care, right? Maybe there should be change in Ubuntu process regarding communication with backports.

I didn't find a way to add trusty-backports as affected by this bug. It is either because you changed permissions, or because there is no such feature in LaunchPad?

Revision history for this message
Scott Kitterman (kitterman) wrote :

No. It's not a lie. Trusty backports bugs are not handled within the Ubuntu project tasks, but under a separate project that I've added now. What it is, is someone rushing to make an accusation because they don't understand how the project is managed.

As described in https://help.ubuntu.com/community/UbuntuBackports someone needs to verify that the newer backport builds, installs, and runs on trusty. Once that's done, I'll be glad to upload it.

Changed in trusty-backports:
status: New → Confirmed
Changed in wesnoth-1.12 (Ubuntu Trusty):
status: Fix Released → Invalid
Revision history for this message
anatoly techtonik (techtonik) wrote : Re: [Bug 1445688] Re: private file disclosure issue (CVE-2015-0844)

On Fri, May 15, 2015 at 9:23 AM, Scott Kitterman <email address hidden> wrote:
> No. It's not a lie. Trusty backports bugs are not handled within the
> Ubuntu project tasks, but under a separate project that I've added now.
> What it is, is someone rushing to make an accusation because they don't
> understand how the project is managed.

The lie is to say that fix for Wesnoth 1.12 Trusty is released.
Because it is not.

> As described in https://help.ubuntu.com/community/UbuntuBackports
> someone needs to verify that the newer backport builds, installs, and
> runs on trusty. Once that's done, I'll be glad to upload it.

This is also not true. This page doesn't describe how to verify that.

Revision history for this message
Micah Gersten (micahg) wrote :

I filed Bug #1456775 which has all the information for testing and a link to my PPA where packages are building to test.

Revision history for this message
Micah Gersten (micahg) wrote :

Sorry, this is for trusty and utopic backports

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers