Security advisory for 1.4.x
Moderator: Forum Moderators
Security advisory for 1.4.x
Hi everybody!
As you might have read in the 1.5.11 release announcement, the support for PythonAI was removed. This was done to fix a vulnerability that could allow third-party content (such as campaigns downloaded from the add-on server) to execute arbitrary code with user account privileges. See https://gna.org/bugs/index.php?13048 for details. All content currently on the official add-on server has been inspected to confirm that none of it exploits this vulnerability, and the add-on server itself has been patched to ensure that exploits can no longer be uploaded. Therefore, users of previous versions of Battle for Wesnoth who have received user-made content through the official add-on server and no other distribution channel need not fear that their system has been compromised.
CVE-2009-0367 has been assigned to this vulnerability and may provide further information.
If you are still using 1.4.x and not 1.5.x (why are you doing so btw, switch to the latest dev version, it is "better" and even more stable...), we do advise you to disable Python support if you compiled the binary yourself. All known packagers were contacted and I know about reactions from some of them already. Users of the official Windows binary should not be affected since Python support in it was broken anyway.
As you might have read in the 1.5.11 release announcement, the support for PythonAI was removed. This was done to fix a vulnerability that could allow third-party content (such as campaigns downloaded from the add-on server) to execute arbitrary code with user account privileges. See https://gna.org/bugs/index.php?13048 for details. All content currently on the official add-on server has been inspected to confirm that none of it exploits this vulnerability, and the add-on server itself has been patched to ensure that exploits can no longer be uploaded. Therefore, users of previous versions of Battle for Wesnoth who have received user-made content through the official add-on server and no other distribution channel need not fear that their system has been compromised.
CVE-2009-0367 has been assigned to this vulnerability and may provide further information.
If you are still using 1.4.x and not 1.5.x (why are you doing so btw, switch to the latest dev version, it is "better" and even more stable...), we do advise you to disable Python support if you compiled the binary yourself. All known packagers were contacted and I know about reactions from some of them already. Users of the official Windows binary should not be affected since Python support in it was broken anyway.
Re: Security advisor for 1.4.x
IMO it's quite silly. I.E. from the XUL level in firefox addons you can erase whole filesystem and firefox addons are still in use.
Instead of removing python support there should be community server where only trusted (examined by other users) scripts would be available. Other way is to make game to permit loading only signed scripts.
Instead of removing python support there should be community server where only trusted (examined by other users) scripts would be available. Other way is to make game to permit loading only signed scripts.
Re: Security advisory for 1.4.x
Anyone that plays BfW on Ubuntu Linux and hasn't wandered to this site or bothered to figure out how to obtain v1.6 is probably still at v1.4 because that's what's currently in the official Ubuntu repository. If they haven't been to this site they probably don't even know v1.6 exists.ivanovic wrote:If you are still using 1.4.x and not 1.5.x (why are you doing so btw, switch to the latest dev version, it is "better" and even more stable...)