Bug#1004223: marked as done (minetest-server: ItemStack meta injection vulnerability in Minetest (CVE-2022-24300))

Debian Bug Tracking System Fri, 18 Feb 2022 11:21:17 -0800

Your message dated Fri, 18 Feb 2022 19:17:15 +0000
with message-id <e1nl8kl-000962...@fasolo.debian.org>
and subject line Bug#1004223: fixed in minetest 5.3.0+repack-2.1+deb11u1
has caused the Debian Bug report #1004223,
regarding minetest-server: ItemStack meta injection vulnerability in Minetest 
(CVE-2022-24300)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1004223: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004223
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: minetest-server
Version: 5.3.0+repack-2.1
Severity: grave
Tags: patch security
Justification: user security hole
X-Debbugs-Cc: nils+debian-report...@dieweltistgarnichtso.net, Debian Security 
Team <t...@security.debian.org>

Dear Maintainer,


Minetest 5.3 contains a serious security issue by default.
The ItemStack meta is not sanitized properly by the server.

Is is therefore possible for clients to inject ItemStack meta.
It might be possible to backdoor the server by injecting Lua.

Computers running Minetest 5.3 are vulnerable to this exploit.
The following patch, part of Minetest 5.4, fixes the problem:

https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae


Greetings,
Nils Moskopp

-- System Information:
Debian Release: 11.2
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.19.0-6-686 (SMP w/2 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages minetest-server depends on:
ii  adduser              3.118
ii  init-system-helpers  1.60
ii  libc6                2.31-13+deb11u2
ii  libcurl3-gnutls      7.74.0-1.3+deb11u1
ii  libgcc-s1            10.2.1-6
ii  libgmp10             2:6.2.1+dfsg-1+deb11u1
ii  libjsoncpp24         1.9.4-4
ii  libleveldb1d         1.22-3
ii  libluajit-5.1-2      2.1.0~beta3+dfsg-5.3
ii  libncursesw6         6.2+20201114-2
ii  libpq5               13.5-0+deb11u1
ii  libspatialindex6     1.9.3-2
ii  libsqlite3-0         3.34.1-3
ii  libstdc++6           10.2.1-6
ii  libtinfo6            6.2+20201114-2
ii  lsb-base             11.1.0
ii  minetest-data        5.3.0+repack-2.1
ii  zlib1g               1:1.2.11.dfsg-2

minetest-server recommends no packages.

minetest-server suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: minetest
Source-Version: 5.3.0+repack-2.1+deb11u1
Done: Markus Koschany <a...@debian.org>

We believe that the bug you reported is fixed in the latest version of
minetest, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated minetest package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 13 Feb 2022 20:46:14 CET
Source: minetest
Architecture: source
Version: 5.3.0+repack-2.1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Checksums-Sha1:
 36bf7695ccb1b032f7b2b74e7de2d789f75e7365 2782 
minetest_5.3.0+repack-2.1+deb11u1.dsc
 10af7fa33c30a445c71d12b6df49be6898b11106 12544280 
minetest_5.3.0+repack.orig.tar.gz
 5cb453b61f81e56e8e7cb90251f6fd0e9a044c2c 39256 
minetest_5.3.0+repack-2.1+deb11u1.debian.tar.xz
 c11e868f954da43ce639b1764d9fa835f61238f5 12918 
minetest_5.3.0+repack-2.1+deb11u1_amd64.buildinfo
Checksums-Sha256:
 4e717039762cbe7469ed5b32df46905b6cbd501b9eb30c8de8cc398ec9c61b64 2782 
minetest_5.3.0+repack-2.1+deb11u1.dsc
 67aa51e8ff881d25325af28c367df75214c3081cbafbd7cf66dc2dadf0ee79bf 12544280 
minetest_5.3.0+repack.orig.tar.gz
 f7b0b00ad7c0b66892e2d1cce39a144f2d3d0d099e5a396673c2b439baffdbf1 39256 
minetest_5.3.0+repack-2.1+deb11u1.debian.tar.xz
 1f15fa6fd43d15439504d27d7f1bae317a34317fefb9631db0e901d9a4a66307 12918 
minetest_5.3.0+repack-2.1+deb11u1_amd64.buildinfo
Closes: 1004223
Changes:
 minetest (5.3.0+repack-2.1+deb11u1) bullseye-security; urgency=high
 .
   * Fix CVE-2022-24300 and CVE-2022-24301:
     Several vulnerabilities have been discovered in Minetest. These issues may
     allow attackers to manipulate game mods by adding or modifying meta fields
     of the same item stack and grant them an unfair advantage over other
     players. These flaws could also be abused for a denial of service attack.
     (Closes: #1004223)
Files:
 c440f526f9c79abbebdc6cc40f1e4706 2782 games optional 
minetest_5.3.0+repack-2.1+deb11u1.dsc
 2f0c123aa1b06719099b356a92b3b99a 12544280 games optional 
minetest_5.3.0+repack.orig.tar.gz
 4d03ac57b911671902eb0cc673699b78 39256 games optional 
minetest_5.3.0+repack-2.1+deb11u1.debian.tar.xz
 2f2138d1d1a080715cac1e298ff4d064 12918 games optional 
minetest_5.3.0+repack-2.1+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmIJYDtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HklaQP/3R95711fK57aMHUHodrzoYTHTAIqGaOcREl
4N2vll+oo1zDD44YytkR6w5oOKQlcnalnez3NX8tSU+mo2/ehyf/wCyltrFGBSzJ
kOuWp+ynCNcHvrjgcHYz/FeE29ze/zBsoYgtvG9+VKdp2WohYm8a/1IBBJr5m871
WDfePCZiiY9Dmo5kKhec2b27SaAETOKjL70qFt6Zv61MMFKjXP7CdH9cOtZAeobV
zw6sm71FiQYyPEMnV10hy8zZXHZk1bh7FAIJa3RQr1boSQ0CdxRLqIWx/w4iSa7H
i85CPkqGrE3sn85Yc/k48hNS2Cd5+mD+HGnV766AKlY+fa66oilT6fu3u3+hiJBQ
IjcJxW2WYK2pYTtMQdN1pQTODUGEy2XdlqLPw/XkKpQYRITFJ5qqUPoODksGxlF5
4jdxhpTMbpfWIfNJ54bgd5ej/EEFPTbcojIbK9MkXn2yJi/t0PV/mamm3XepUbZF
hwvALnaQM3DL/3RO4097/doaYhEoS8qVtambqcBkiR8YOxdNSaARZY3vOt9RJEd1
emxKKxVd3dszhOwjb6ONHyg396lDcJEuqORkAG8yoCqOPvV20g3P3hHXXALW7q+F
Vvh4dybQLZmz9DFLHq0HOTCrKlmKR5bONCNR5oK5YVEFXopwDniM4ZhKrd9hFZ9K
m1YquZhS
=aUuA
-----END PGP SIGNATURE-----

--- End Message ---

Bug#1004223: marked as done (minetest-server: ItemStack meta injection vulnerability in Minetest (CVE-2022-24300))

Reply via email to