denial of service in wesnoth client and server prior 1.2.7 release

I'm working on this.

For Hardy, Andrea Gasparini has merged wesnoth from Debian, and Debian has the fix for this: bug 156436.

Attached patch for dapper. It builds fine, but I haven't tested it (I don't have a dapper installation...)

Thanks for getting these prep'd. Which have been tested? The changes are not entirely trivial, so I'd just like to make sure it still all works.

Hi Kees.

I've tested the Gutsy ones, and they work fine. However, I haven't been able to crash it with the unpatched version (I'm not probably doing the right thing).

I could also test the feisty ones, if needed.

Thanks, I've pushing the Gutsy revision into the security queue. I don't like publishing security updates without testing the results, so if you want to get Feisty out too, just let me know if it works well there. :)

Hardy already has a fix

The changelog of the gutsy wesnoth packages don't show this fix (I have checked wesnoth,wesnoth-all,wesnoth-server) :

wesnoth (1.2.6-1ubuntu2) gutsy; urgency=low

  * debian/rules:
    - Build with --enable-dummy-locales.
  * debian/wesnoth-data.install:
    - Install the locales (LP: #113361).

 -- Emilio Pozuelo Monfort <email address hidden> Fri, 14 Sep 2007 23:45:25 +0200

Gutsy doesn't have this fix yet. wesnoth is at version 1.2.6-1ubuntu2 (Fri, 14 Sep 2007 23:45:25 +0200)

wesnoth (1.2.6-1ubuntu2.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Fix insecure truncate of a multibyte chat message that
    can lead to invalid utf-8 and throw an uncaught exception. Both wesnoth
    client and server are affected.
  * debian/patches/CVE-2007-3917: added, taken from Debian.
  * References:
    CVE-2007-3917.
    LP: #158414.

 -- Emilio Pozuelo Monfort <email address hidden> Mon, 29 Oct 2007 21:19:33 +0100

It's already built, as you can see in https://launchpad.net/ubuntu/+source/wesnoth/1.2.6-1ubuntu2.1

Should be in the archive soon (maybe an hour?). If not, reopen it.

Cheers

Never mind. It arrived last night (my time). I thought security updates would arrive within a day after reading "fix committed".

wesnoth (1.2.3-0ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: Fix insecure truncate of a multibyte chat message that
    can lead to invalid utf-8 and throw an uncaught exception. Both wesnoth
    client and server are affected.
  * debian/patches/CVE-2007-3917: added, taken from Debian.
  * References: CVE-2007-3917.
    LP: #158414.

  * SECURITY UPDATE: Do not allow '../' in file paths. It allowed others
    to view the content of files in the remote computers.
  * debian/patches/CVE-2007-5742: added, taken from upstream SVN r21904.
  * References:
    CVE-2007-5742.
    LP: #172783.

 -- Emilio Pozuelo Monfort <email address hidden> Sun, 02 Dec 2007 22:07:37 +0100