This is an automated email from the git hooks/post-receive script. vcheng pushed a commit to branch jessie in repository wesnoth.
commit e8ce0fa9285ecf41b59b51932d7974c7bb4f1292 Author: Vincent Cheng <[email protected]> Date: Tue Jul 7 02:30:27 2015 -0700 fix CVE-2015-5069 and CVE-2015-5070 in jessie --- debian/changelog | 7 +++++++ debian/patches/CVE-2015-5069-CVE-2015-5070.patch | 23 +++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 31 insertions(+) diff --git a/debian/changelog b/debian/changelog index 94c23e3..876fc64 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +wesnoth-1.10 (1:1.10.7-2+deb8u1) jessie; urgency=medium + + * Security fix: Disallowed inclusion of .pbl files from WML, independent of + extension case (CVE-2015-5069, CVE-2015-5070). + + -- Vincent Cheng <[email protected]> Wed, 01 Jul 2015 13:30:12 -0700 + wesnoth-1.10 (1:1.10.7-2) unstable; urgency=high * Pull af61f9fd from upstream to fix "Private file disclosure through diff --git a/debian/patches/CVE-2015-5069-CVE-2015-5070.patch b/debian/patches/CVE-2015-5069-CVE-2015-5070.patch new file mode 100644 index 0000000..0f0ba4c --- /dev/null +++ b/debian/patches/CVE-2015-5069-CVE-2015-5070.patch @@ -0,0 +1,23 @@ +Description: Disallowed inclusion of .pbl files from WML, independent of + extension case (CVE-2015-5069, CVE-2015-5070). +Origin: upstream, commits 055fea16479a755d6744a52f78f63548b692c440 + and d20f8015bc3653a10d6d4dfd751e62651d1180b7 +Bug: https://gna.org/bugs/?23504 +Last-Update: 2015-07-01 + +diff --git a/src/filesystem.cpp b/src/filesystem.cpp +index 7b4bd95..510da80 100644 +--- a/src/filesystem.cpp ++++ b/src/filesystem.cpp +@@ -1157,6 +1157,11 @@ std::string get_wml_location(const std::string &filename, const std::string &cur + return result; + } + ++ if (looks_like_pbl(filename)) { ++ ERR_FS << "Illegal path '" << filename << "' (.pbl files are not allowed)." << std::endl; ++ return result; ++ } ++ + bool already_found = false; + + if (filename[0] == '~') diff --git a/debian/patches/series b/debian/patches/series index 9b0fc18..b6b1fe1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 02wesnoth-nolog-desktop-file 03wesnothd-name af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch +CVE-2015-5069-CVE-2015-5070.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/wesnoth.git _______________________________________________ Pkg-games-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-games-commits
