diff -u wesnoth-1.1+reverted+to+1.0.2/debian/changelog wesnoth-1.1+reverted+to+1.0.2/debian/changelog --- wesnoth-1.1+reverted+to+1.0.2/debian/changelog +++ wesnoth-1.1+reverted+to+1.0.2/debian/changelog @@ -1,3 +1,40 @@ +wesnoth (1.1+reverted+to+1.0.2-0ubuntu1.1) dapper-security; urgency=low + + * SECURITY UPDATE: wesnoth has several vulnerabilities: + + CVE-2007-3917: The multiplayer engine in Wesnoth 1.2.x before 1.2.7 and + 1.3.x before 1.3.9 allows remote servers to cause a denial of service (crash) + via a long message with multibyte characters that can produce an invalid UTF-8 + string after it is truncated, which triggers an uncaught exception, involving + the truncate_message function in server/server.cpp. NOTE: this issue affects + both clients and servers. + + CVE-2007-5742: Directory traversal vulnerability in the WML engine + preprocessor for Wesnoth 1.2.x before 1.2.8, and 1.3.x before 1.3.12, allows + remote attackers to read arbitrary files via ".." sequences in unknown + vectors. + + CVE-2007-6201: Unspecified vulnerability in Wesnoth before 1.2.8 allows + attackers to cause a denial of service (hang) via a "faulty add-on" and + possibly execute other commands via unknown vectors related to the turn_cmd + option + * src/display.cpp, src/map_label.cpp, src/server/server.cpp (2007-3917) + + Applied patch by upstream + + Link 1: http://svn.gna.org/viewcvs/wesnoth/branches/1.2/src/server/server.cpp?rev=20809&r1=20174&r2=20809 + + Link 2: http://svn.gna.org/viewcvs/wesnoth/branches/1.2/src/map_label.cpp?r2=20802&rev=20802&r1=13482&dir_pagestart=50 + + Link 3: http://svn.gna.org/viewcvs/wesnoth/branches/1.2/src/display.cpp?rev=20786&r1=16280&r2=20786 + Those Patches were applied by Debian, too. No regressions known. + * src/serialization/preprocessor.cpp (2007-5742): + + Applied patch by upstream + + Link: http://svn.gna.org/viewcvs/wesnoth/branches/1.2/src/serialization/preprocessor.cpp?rev=21904&r1=12381&r2=21904 + * src/playturn.cpp, src/preferences.cpp (2007-6201): + + Applied patch by upstream + + Link 1: http://svn.gna.org/viewcvs/wesnoth/branches/1.2/src/playsingle_controller.cpp?r2=21907&rev=21907&r1=16732&dir_pagestart=100 + + Link 2: http://svn.gna.org/viewcvs/wesnoth/branches/1.2/src/preferences.cpp?r2=21907&rev=21907&r1=18008&dir_pagestart=100 + * References: + CVE-2007-3917 + CVE-2007-5742 + CVE-2007-6201 + + -- Stephan Hermann Wed, 05 Dec 2007 10:06:37 +0100 + wesnoth (1.1+reverted+to+1.0.2-0ubuntu1) dapper; urgency=low * Revert to 1.0.2 to use stable upstream releases instead of development only in patch2: unchanged: --- wesnoth-1.1+reverted+to+1.0.2.orig/src/serialization/preprocessor.cpp +++ wesnoth-1.1+reverted+to+1.0.2/src/serialization/preprocessor.cpp @@ -651,6 +651,9 @@ LOG_CF << "ignoring reference to '" << newfilename << "'\n"; } else #endif + // Ignore filenames with '..' in them. + if (newfilename.find("..") == std::string::npos) + { #ifndef USE_ZIPIOS //if the filename begins with a '~', then look only in patch2: unchanged: --- wesnoth-1.1+reverted+to+1.0.2.orig/src/display.cpp +++ wesnoth-1.1+reverted+to+1.0.2/src/display.cpp @@ -2180,7 +2180,14 @@ msg = message; action = false; } - msg = font::word_wrap_text(msg,font::SIZE_SMALL,mapx()*3/4); + try { + // We've had a joker who send an invalid utf-8 message to crash clients + // so now catch the exception and ignore the message. + msg = font::word_wrap_text(msg,font::SIZE_SMALL,mapx()*3/4); + } catch (utils::invalid_utf8_exception&) { + LOG_STREAM(err, engine) << "Invalid utf-8 found, chat message is ignored.\n"; + return; + } int ypos = chat_message_x; for(std::vector::const_iterator m = chat_messages_.begin(); m != chat_messages_.end(); ++m) { only in patch2: unchanged: --- wesnoth-1.1+reverted+to+1.0.2.orig/src/map_label.cpp +++ wesnoth-1.1+reverted+to+1.0.2/src/map_label.cpp @@ -88,11 +88,14 @@ void map_labels::set_label(const gamemap::location& loc, const std::string& str) { - std::string text = str; - if(text.size() > max_label_size) { - text.resize(max_label_size); + // The actual data is wide_strings so test in wide_string mode + // also cutting a wide_string at an arbritary place gives odd + // problems. + wide_string tmp = utils::string_to_wstring(str); + if(tmp.size() > max_label_size) { + tmp.resize(max_label_size); } - + std::string text = utils::wstring_to_string(tmp); const label_map::iterator current_label = labels_.find(loc); if(current_label != labels_.end()) { font::remove_floating_label(current_label->second); only in patch2: unchanged: --- wesnoth-1.1+reverted+to+1.0.2.orig/src/playturn.cpp +++ wesnoth-1.1+reverted+to+1.0.2/src/playturn.cpp @@ -89,11 +89,6 @@ gui::show_dialog(gui,NULL,"",_("It is now your turn"),gui::MESSAGE); } - const std::string& turn_cmd = preferences::turn_cmd(); - if(turn_cmd.empty() == false) { - system(turn_cmd.c_str()); - } - turn_info turn_data(gameinfo,state_of_game,status,terrain_config,level, key,gui,map,teams,team_num,units,turn_info::PLAY_TURN,textbox,network_sender); only in patch2: unchanged: --- wesnoth-1.1+reverted+to+1.0.2.orig/src/preferences.cpp +++ wesnoth-1.1+reverted+to+1.0.2/src/preferences.cpp @@ -428,15 +428,6 @@ prefs["turn_bell"] = (ison ? "yes" : "no"); } -const std::string& turn_cmd() -{ - return prefs["turn_cmd"]; -} - -void set_turn_cmd(const std::string& cmd) -{ - prefs["turn_cmd"] = cmd; -} bool message_bell() { only in patch2: unchanged: --- wesnoth-1.1+reverted+to+1.0.2.orig/src/server/server.cpp +++ wesnoth-1.1+reverted+to+1.0.2/src/server/server.cpp @@ -76,9 +76,11 @@ void truncate_message(t_string& str) { const size_t max_message_length = 240; - std::string newstr = str.str(); + // The string send can contain utf-8 so truncate as wide_string otherwise + // an corrupted utf-8 string can be returned. + wide_string newstr = utils::string_to_wstring(str.str()); newstr.resize(minimum(str.size(),max_message_length)); - str = newstr; + str = utils::wstring_to_string(newstr); } }