Hello community, here is the log from the commit of package crawl for openSUSE:Factory checked in at 2020-04-16 23:03:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/crawl (Old) and /work/SRC/openSUSE:Factory/.crawl.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crawl" Thu Apr 16 23:03:35 2020 rev:33 rq:794404 version:0.24.0 Changes: -------- --- /work/SRC/openSUSE:Factory/crawl/crawl.changes 2020-03-21 00:02:22.185131200 +0100 +++ /work/SRC/openSUSE:Factory/.crawl.new.2738/crawl.changes 2020-04-16 23:03:35.695693011 +0200 @@ -1,0 +2,6 @@ +Tue Apr 14 11:22:21 UTC 2020 - Ferdinand Thiessen <[email protected]> + +- Added CVE-2020-11722.patch to fix CVE-2020-11722, boo#1169381 + * Fixes a remote code evaluation issue with lua loadstring + +------------------------------------------------------------------- New: ---- CVE-2020-11722.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ crawl.spec ++++++ --- /var/tmp/diff_new_pack.nhB5Pp/_old 2020-04-16 23:03:36.359693602 +0200 +++ /var/tmp/diff_new_pack.nhB5Pp/_new 2020-04-16 23:03:36.359693602 +0200 @@ -33,6 +33,8 @@ Patch0: desktop.patch Patch1: icon.patch Patch2: appdata.patch +# PATCH-FIX-UPSTREAM CVE-2020-11722, boo#1169381, disable LUA loadstring +Patch3: CVE-2020-11722.patch BuildRequires: dejavu-fonts BuildRequires: desktop-file-utils BuildRequires: fdupes @@ -60,7 +62,7 @@ %endif %description -%about +%{about} This is the Stone Soup version of Dungeon Crawl. @@ -72,7 +74,7 @@ Requires: %{name} = %{version} %description sdl -%about +%{about} This is the (SDL-based) tiled Stone Soup version of Dungeon Crawl. @@ -85,7 +87,7 @@ BuildArch: noarch %description data -%about +%{about} These are the data files for Dungeon Crawl Stone Soup. @@ -94,6 +96,7 @@ %patch0 -p2 %patch1 -p2 %patch2 -p2 +%patch3 -p1 %build cd source @@ -104,11 +107,11 @@ # note that --disable-altivec not supported by gcc 4.8 tmpflags="$tmpflags -U__ALTIVEC__" %endif -make %{?_smp_mflags} clean -make %{?_smp_mflags} prefix=%{_prefix} bin_prefix=bin DATADIR="%{_datadir}/%{name}/" BINDIR=%{_bindir} EXTRA_FLAGS="${tmpflags}" +%make_build clean +%make_build prefix=%{_prefix} bin_prefix=bin DATADIR="%{_datadir}/%{name}/" BINDIR=%{_bindir} EXTRA_FLAGS="${tmpflags}" mv crawl crawl.tty # avoid name clashes temporarily -make %{?_smp_mflags} clean -make %{?_smp_mflags} prefix=%{_prefix} bin_prefix=bin DATADIR="%{_datadir}/%{name}/" BINDIR=%{_bindir} EXTRA_FLAGS="${tmpflags}" TILES="1" +%make_build clean +%make_build prefix=%{_prefix} bin_prefix=bin DATADIR="%{_datadir}/%{name}/" BINDIR=%{_bindir} EXTRA_FLAGS="${tmpflags}" TILES="1" mv crawl crawl-sdl mv crawl.tty crawl ++++++ CVE-2020-11722.patch ++++++ Fix CVE CVE-2020-11722 before version 0.25 Contains upstream commits 768f60da87a3fa0b5561da5ade9309577c176d04 and fc522ff6eb1bbb85e3de60c60a45762571e48c28 diff -Nur stone_soup-0.24.0/source/clua.cc new/source/clua.cc --- stone_soup-0.24.0/source/clua.cc 2019-04-21 07:54:24.000000000 +0200 +++ new/source/clua.cc 2020-04-14 13:38:19.579713046 +0200 @@ -315,6 +315,9 @@ while (!f.eof()) script += f.get_line() + "\n"; + if (script[0] == 0x1b) + abort(); + // prefixing with @ stops lua from adding [string "%s"] return luaL_loadbuffer(ls, &script[0], script.length(), ("@" + file).c_str()); @@ -729,6 +732,20 @@ return !err; } +static int lua_loadstring(lua_State *ls) +{ + const auto lua = luaL_checkstring(ls, 1); + if (lua[0] == 0x1b) + abort(); + lua_settop(ls, 0); + if (luaL_loadstring(ls, lua)) + { + lua_pushnil(ls); + lua_insert(ls, 1); + } + return lua_gettop(ls); +} + void CLua::init_lua() { if (_state) @@ -751,6 +768,11 @@ lua_stack_cleaner clean(_state); + lua_pushcfunction(_state, lua_loadstring); + lua_setglobal(_state, "loadstring"); + lua_pushnil(_state); + lua_setglobal(_state, "load"); + lua_atpanic(_state, _clua_panic); #ifdef CLUA_UNRESTRICTED_LIBS
