[IMPORTANT] Security advisories for Wesnoth 0.x ― 1.13.0

Get help with compiling or installing the game, and discuss announcements of new official releases.

Moderator: Forum Moderators

Locked
User avatar
Iris
Site Administrator
Posts: 6796
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

[IMPORTANT] Security advisories for Wesnoth 0.x ― 1.13.0

Post by Iris »

Hello,

As mentioned in the Wesnoth 1.12.4 and Wesnoth 1.13.1 release announcements, a security vulnerability targeting add-on authors was found (bug #23504 [Gna.org]) which allowed a malicious user to obtain add-on server passphrases from the client’s .pbl files and transmit them over the network, or store them in saved game files intended to be shared by the victim. This vulnerability affects all existing releases up to and including versions 1.12.2 and 1.13.0. Additionally, version 1.12.3 included only a partial fix that failed to guard users against attempts to read from .pbl files with an uppercase or mixed-case extension. CVE-2015-5069 and CVE-2015-5070 have been assigned to the vulnerability affecting .pbl files with a lowercase extension, and .pbl files with an uppercase or mixed-case extension, respectively.

Additionally, as announced before, players running versions 1.7.0 through 1.11.14, as well as versions 1.11.19 through 1.12.1, are vulnerable to a more severe file disclosure attack (bug #23440 [Gna.org]) through the WML/Lua API that allows retrieving and transmitting the contents of potentially sensitive files outside Wesnoth’s resource directories. This vulnerability was assigned CVE-2015-0844 and was first fixed in versions 1.12.2 and 1.13.0.

All known packagers have been contacted and may provide builds patched against these vulnerabilities through their own distribution channels. If you are running any of the affected client versions, we strongly urge you to upgrade now to Wesnoth 1.12.4 — or, if you wish to use the development version, Wesnoth 1.13.1.

The tl;dr version:
  • Version 1.13.1 and later: not vulnerable
  • Version 1.12.4 and later: not vulnerable
  • Version 1.12.3: CVE-2015-5070 (disclosure of .pbl files with uppercase/mixed-case extension)
  • Version 1.13.0: CVE-2015-5069, CVE-2015-5070 (disclosure of .pbl files with lowercase, uppercase, and mixed-case extension)
  • Version 1.12.2: CVE-2015-5069, CVE-2015-5070 (disclosure of .pbl files with lowercase, uppercase, and mixed-case extension)
  • Version 1.12.1 and earlier: CVE-2015-0844 (arbitrary file disclosure), CVE-2015-5069, CVE-2015-5070 (disclosure of .pbl files with lowercase, uppercase, and mixed-case extension)
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
User avatar
Iris
Site Administrator
Posts: 6796
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: [IMPORTANT] Security advisories for Wesnoth 0.x ― 1.13.0

Post by Iris »

Important addendum for Apple OS X users:

Our current Apple OS X packager has not uploaded either 1.12.4 or 1.13.1 yet for unknown reasons. We hope to have version 1.12.4 out for Apple OS X within the next few days but we can make no promises at this point.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
User avatar
Iris
Site Administrator
Posts: 6796
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: [IMPORTANT] Security advisories for Wesnoth 0.x ― 1.13.0

Post by Iris »

Important addendum for Microsoft Windows users:

Unrelated to the security vulnerability itself, if you downloaded version 1.12.4 before this notice, you may be affected by a bug that causes Wesnoth to crash when toggling music on and off. We recommend using version 1.12.4a of the installer package instead.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
User avatar
Iris
Site Administrator
Posts: 6796
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: [IMPORTANT] Security advisories for Wesnoth 0.x ― 1.13.0

Post by Iris »

Important addendum for Apple OS X users:

The 1.12.4 build for Apple OS X is out now (posted June 30). See this post or the Download page for a link. 1.13.1 may take some more time, so keep an eye on the 1.13.1 announcement thread if you need it.

The 1.13.1 build for Apple OS X is out as well (posted July 9). However, note that unlike 1.12.4 it only runs on Apple OS X 10.10 Yosemite out of the box. Refer to this post by the packager for details.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
Locked