diff -u wesnoth-1.4.5/debian/control wesnoth-1.4.5/debian/control --- wesnoth-1.4.5/debian/control +++ wesnoth-1.4.5/debian/control @@ -1,10 +1,11 @@ Source: wesnoth Section: games Priority: optional -Maintainer: Debian Games Team +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Debian Games Team Build-Depends: debhelper (>= 5), quilt, libsdl-image1.2-dev, libfreetype6-dev, libsdl-mixer1.2-dev, libsdl-net1.2-dev, libfribidi-dev, libsdl1.2-dev, - python-dev (>= 2.3), python-support, + python-support, libboost-iostreams-dev, libboost-test-dev Standards-Version: 3.8.0 Uploaders: Isaac Clerencia , Cyril Bouthors , Gerfried Fuchs diff -u wesnoth-1.4.5/debian/rules wesnoth-1.4.5/debian/rules --- wesnoth-1.4.5/debian/rules +++ wesnoth-1.4.5/debian/rules @@ -21,7 +21,7 @@ CFLAGS += -O2 endif -CONFIGURE_SWITCHES = --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --disable-rpath --prefix=/usr --mandir=\$${prefix}/share/man --bindir=\$${prefix}/games --with-datadir-name=wesnoth --with-localedir=\$${prefix}/share/locale --with-fifodir=/var/run/wesnothd --datadir=\$${prefix}/share/games --enable-editor --enable-server --enable-python --with-fribidi --enable-python-install CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs" +CONFIGURE_SWITCHES = --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --disable-rpath --prefix=/usr --mandir=\$${prefix}/share/man --bindir=\$${prefix}/games --with-datadir-name=wesnoth --with-localedir=\$${prefix}/share/locale --with-fifodir=/var/run/wesnothd --datadir=\$${prefix}/share/games --enable-editor --enable-server --disable-python --with-fribidi --enable-python-install CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs" # calculate the version strings diff -u wesnoth-1.4.5/debian/changelog wesnoth-1.4.5/debian/changelog --- wesnoth-1.4.5/debian/changelog +++ wesnoth-1.4.5/debian/changelog @@ -1,3 +1,26 @@ +wesnoth (1:1.4.5-1ubuntu0.1) intrepid-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via python AI (LP: #336396) + - debian/control: remove python-dev from Build-Dependencies + - debian/rules: Compile with --disable-python + - debian/wesnoth-data.install: Don't install data/ais into + - debian/patches/04wesnoth-did-ai-fix: upstream svn r33013 for above + changes + - Patch based on work by Gerfried Fuchs + - CVE-2009-0367 + * SECURITY UPDATE: denial of service large compressed WML document + - debian/patches/03fix-server-dos: check size of WML document in + simple_wml.cpp + - Patch based on work by Gerfried Fuchs + - CVE-2009-0366 + * SECURITY UPDATE: denial of service via crafted map + - debian/patches/05limit-mapsize: verify map size in + terrain_translation.cpp and terrain_translation.hpp + - Patch based on work by Gerfried Fuchs + - CVE-2009-0878 + + -- Jamie Strandboge Fri, 20 Mar 2009 08:35:09 -0500 + wesnoth (1:1.4.5-1) unstable; urgency=low * New stable upstream release, bugfixes and translation updates. diff -u wesnoth-1.4.5/debian/wesnoth-data.install wesnoth-1.4.5/debian/wesnoth-data.install --- wesnoth-1.4.5/debian/wesnoth-data.install +++ wesnoth-1.4.5/debian/wesnoth-data.install @@ -1,7 +1,6 @@ debian/overrides/wesnoth-data /usr/share/lintian/overrides debian/tmp/usr/share/games/wesnoth/data/*.cfg debian/tmp/usr/share/games/wesnoth/data/COPYING.txt -debian/tmp/usr/share/games/wesnoth/data/ais debian/tmp/usr/share/games/wesnoth/data/campaigns/tutorial debian/tmp/usr/share/games/wesnoth/data/core/*.cfg debian/tmp/usr/share/games/wesnoth/data/core/README diff -u wesnoth-1.4.5/debian/patches/series wesnoth-1.4.5/debian/patches/series --- wesnoth-1.4.5/debian/patches/series +++ wesnoth-1.4.5/debian/patches/series @@ -1,0 +2,3 @@ +03fix-server-dos.patch +04wesnoth-did-ai-fix.patch +05limit-mapsize.patch only in patch2: unchanged: --- wesnoth-1.4.5.orig/debian/patches/03fix-server-dos.patch +++ wesnoth-1.4.5/debian/patches/03fix-server-dos.patch @@ -0,0 +1,21 @@ +# +# Author: dave +# Description: fixed DoS attack using z compressed WML on server +# (upstream svn r33069) +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/wesnoth/+bug/336396 +# + +diff -Nur wesnoth-1.4.5/src/server/simple_wml.cpp wesnoth-1.4.5.new/src/server/simple_wml.cpp +--- wesnoth-1.4.5/src/server/simple_wml.cpp 2008-03-29 13:05:38.000000000 -0500 ++++ wesnoth-1.4.5.new/src/server/simple_wml.cpp 2009-03-20 08:45:41.000000000 -0500 +@@ -27,6 +27,10 @@ + int len = 0; + int pos = 0; + while(filter.good() && (len = filter.read(&buf[pos], chunk_size).gcount()) == chunk_size) { ++ if(pos + chunk_size > 40000000) { ++ throw error("WML document exceeds 40MB limit"); ++ } ++ + pos += len; + buf.resize(pos + chunk_size); + len = 0; only in patch2: unchanged: --- wesnoth-1.4.5.orig/debian/patches/05limit-mapsize.patch +++ wesnoth-1.4.5/debian/patches/05limit-mapsize.patch @@ -0,0 +1,61 @@ +# +# Author: ilor +# Description: fix bug #13031 by implementing a hard limit on map size. The cap +# is set to 200 tiles (so 200*200 is the max map area), and as of +# now is a hardcoded constant in terrain_translation.cpp. +# (upstream svn r32987) +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/wesnoth/+bug/336396 +# + +diff -Nur wesnoth-1.4.5/src/terrain_translation.cpp wesnoth-1.4.5.new/src/terrain_translation.cpp +--- wesnoth-1.4.5/src/terrain_translation.cpp 2008-02-19 18:16:11.000000000 -0600 ++++ wesnoth-1.4.5.new/src/terrain_translation.cpp 2009-03-20 08:49:41.000000000 -0500 +@@ -29,6 +29,10 @@ + + namespace t_translation { + ++ size_t max_map_size() { ++ return 200; //TODO make this overridable by the user without having to rebuild ++ } ++ + /***************************************************************************************/ + // forward declaration of internal functions + +@@ -312,6 +316,10 @@ + ERR_G << "Map not a rectangle error occured at line offset " << y << " position offset " << x << "\n"; + throw error("Map not a rectangle."); + } ++ if (y > max_map_size()) { ++ ERR_G << "Map size exceeds limit (y > " << max_map_size() << ")\n"; ++ throw error("Map height limit exceeded."); ++ } + } + + // Prepare next iteration +@@ -334,6 +342,10 @@ + } else { + ++x; + offset = pos_separator + 1; ++ if (x > max_map_size()) { ++ ERR_G << "Map size exceeds limit (x > " << max_map_size() << ")\n"; ++ throw error("Map width limit exceeded."); ++ } + } + + } +diff -Nur wesnoth-1.4.5/src/terrain_translation.hpp wesnoth-1.4.5.new/src/terrain_translation.hpp +--- wesnoth-1.4.5/src/terrain_translation.hpp 2008-02-19 18:16:11.000000000 -0600 ++++ wesnoth-1.4.5.new/src/terrain_translation.hpp 2009-03-20 08:49:41.000000000 -0500 +@@ -25,6 +25,12 @@ + + namespace t_translation { + ++ /** ++ * Return the maximum allowed map size (in either dimension), ++ * the maximum map area is, therefore, this value squared. ++ */ ++ size_t max_map_size(); ++ + typedef Uint32 t_layer; + const t_layer WILDCARD = 0x2A000000; + const t_layer NO_LAYER = 0xFFFFFFFF; only in patch2: unchanged: --- wesnoth-1.4.5.orig/debian/patches/04wesnoth-did-ai-fix.patch +++ wesnoth-1.4.5/debian/patches/04wesnoth-did-ai-fix.patch @@ -0,0 +1,30 @@ +# +# Author: zookeeper +# Description: Removed kamikaze.py and replaced it with a crude WML workaround +# for now. (upstream svn r33013) +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/wesnoth/+bug/336396 +# + +diff -Nur wesnoth-1.4.5/data/campaigns/Descent_Into_Darkness/scenarios/03_A_Haunting_in_Winter.cfg wesnoth-1.4.5.new/data/campaigns/Descent_Into_Darkness/scenarios/03_A_Haunting_in_Winter.cfg +--- wesnoth-1.4.5/data/campaigns/Descent_Into_Darkness/scenarios/03_A_Haunting_in_Winter.cfg 2008-03-03 12:32:50.000000000 -0600 ++++ wesnoth-1.4.5.new/data/campaigns/Descent_Into_Darkness/scenarios/03_A_Haunting_in_Winter.cfg 2009-03-20 08:41:01.000000000 -0500 +@@ -77,10 +77,16 @@ + no_leader=yes + fog=no + shroud=no +- # kamikaze.py heads straight for the leader of side 1 and attacks + [ai] +- ai_algorithm=python_ai +- python_script="../campaigns/Descent_Into_Darkness/ais/kamikaze.py" ++ aggression=4.0 ++ caution=0.0 ++ grouping=no ++ simple_targetting=yes ++ village_value=0 ++ [target] ++ id=Malin Keshar ++ value=100 ++ [/target] + [/ai] + [/side] +