Wesnoth 1.14.4

Get help with compiling or installing the game, and discuss announcements of new official releases.

Moderator: Forum Moderators

Locked
User avatar
Iris
Site Administrator
Posts: 6796
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Wesnoth 1.14.4

Post by Iris »

Wesnoth 1.14.4 is out!

This maintenance release for the stable 1.14.x series fixes a severe security vulnerability in the game engine that can be used to remotely execute arbitrary code on your computer.

We strongly advise that users of all previous versions upgrade immediately. If you are using Wesnoth on Steam and have automatic updates enabled for Wesnoth, you will already have this update installed by now.

In addition to this, 1.14.4 delivers the usual assortment of bug fixes, quality-of-life improvements, and translation updates you’ve come to expect from a stable branch. And just like other releases in this series, it is fully compatible with previous 1.14.x versions.

A full list of changes and new features added since version 1.12 can be found in the release notes for this series.


Changes since 1.14.3

Read on for more details about the most notable fixes and additions since the previous stable release. A full list of changes may be found in our changelog.

General
A severe bug was found in the game client which could allow a malicious user to execute arbitrary code through the Lua engine by using specially-crafted code in add-ons, saves, replays, or networked games. This issue affects all platforms and all existing releases since Wesnoth version 1.7.0.

Users of all previous version should upgrade immediately.

CVE-2018-1999023 has been assigned to this vulnerability.
Dead Water:
  • In “Tirigaz”, take the situation into account of orcs being killed either first or by undead.
Delfador’s Memoirs:
  • Fixed hero units costing upkeep (issue #3277).
Eastern Invasion:
  • Fixed missing prisoners and loss of recallable units in “Captured”.
Northern Rebirth:
  • Level 0 units are not available anymore after “The Pursuit”.
Secrets of the Ancients:
  • Adjusted gender of enemies to better match the story in “Battleground” and “Walking Trees” (issue #3294).
  • Simplified dialog to fix possible confusion in “The Mage” (issue #3291).
  • Nagas are able to recruit in the last scenario (issue #3293).
The South Guard:
  • The undead leader in “Vale of Tears” does not leave the castle anymore.
  • The untypical situation where one can defeat the lich in “Choice in the Fog” before finding Urza Afalas is now handled.
Under the Burning Suns:
  • Added custom graphics for the citadel in the second-to-last scenario, and clarified certain tactical information in the last scenario.
  • Other visual improvements.
  • Fixed lobby and whisper messages in the MP server not having a length limit in both the server and the client UI.
  • Fixed lobby chat box scrolling back to top on new messages when it wasn’t already scrolled all the way to the bottom (issue #2789).
  • Fixed faction, leader, and leader gender changes persisting even if the selection dialog is dismissed.
  • Greatly improved touch control support.
  • Improved the layout of the Statistics dialog.
  • It is now possible to change dropdown menu selections using the scrollwheel (issue #3251).
  • Units are secondarily sorted by XP in the Unit List dialog.
  • New attack animation for the Peasant.
  • Tweaked the Ruffian’s attack animation timing.
  • Fixed the unit preview pane not displaying the default race icon when detailing a single unit’s stats.
  • Minor layout improvements to the Objectives dialog (pull request #3309).
  • Added an Advanced Preferences option to enable the experimental PRNG combat mode in single-player.
  • Campfires use illumination instead of a different time-of-day schedule.
  • Fixed saving a map as a scenario in the editor not enabling scenario editor tools.
  • Fixed an issue with positioned sound sources ignoring the volume set in Preferences after going off the audible radius and back (issue #3280).
  • Upgraded the game’s Lua platform to Lua 5.3.5.
  • Builds on Linux using SCons and CMake enable security hardening by default now.
  • The add-ons server now searches for plain-text .po catalogues in add-ons and adds them to the list of translations reported for the add-on.
  • Fixed red herring errors about WESNOTH_VERSION not being defined when trying to load add-ons when one or more of them have had load-time errors (issue #1634, issue #1924). The root issue persists in the form of add-ons not being correctly loaded, however.
  • Fixed wmllint crashing on gzipped binary files such as tarballs, and crashing on nonexistent paths (issue #3286).
  • Fixed wmlindent crashing on nonexistent paths (issue #3346).
Known Issues
Bugs specific to Windows:
  • OneDrive can interfere with Wesnoth’s user config/data directory set-up, leading to all kinds of different manifestations of the issue. There’s no fix available yet. The recommendation for the time being is to avoid syncing the Wesnoth user directory with OneDrive.
General bugs:
  • Preprocessor errors corrupt cache (#1634, #1924). If this happens you have to wipe your cache. That can be done in Preferences → Cache.
Bugs specific to macOS:
  • Trackpad tap clicking is sometimes not recognized (forum post).
  • Unofficial builds with OpenMP support enabled randomly freeze (bug #1260).

Downloads
Source code (450.6 MB)
SHA256 sum: 312dcd1d5f07eb85fdbe932c0e8727e2985bce0bd521a743f7bcddded15581c3
Windows installer (408.2 MB)
SHA256 sum: fe6c276970efa5d510a31976c58949b034aa3f393ee7ea75ccfbbfdfd4c5cc22
macOS package (466.9 MB)
SHA256 sum: 151f9e1be1d16e224a5d7f2a923f0ac69e3dce7952ed558375cdf3b7455df0e3
All known Linux packagers have been contacted, and binaries for your distribution may have already been created. Information about where to get the respective binaries or how to install them can be found on the Linux binaries page in the wiki.
The multiplayer server for 1.14.x is up and running. This server allows players using all stable releases from this series, including the 1.14 release candidates (1.13.12 and alter).

The add-ons server for 1.14.x is already running. It was started for 1.13.12 and it serves all stable releases from this series.
If you encounter any problems involving add-ons not working as expected, please notify the content’s author or maintainer.

If you find any bugs, do not hesitate to report them, but please read the instructions on how to report bugs first! As bug reports in the forums tend to be forgotten, you will get better results using our bug tracker. We need your help for finding and fixing issues, no matter how obvious, trivial or complicated they seem!

Have fun!
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
Byron
Posts: 44
Joined: May 23rd, 2013, 7:41 am
Location: West Virginia

Re: Wesnoth 1.14.4

Post by Byron »

I still use 1.10.7 a lot because I like some add-ons that haven't been maintained, to be compatible, with newer versions of the game. I downloaded these from Source Forge via this site. To be clear, this isn't safe anymore? Should I wait for a patch, that might not be coming, or should I uninstall this & 1.12.6 ASAP?
gfgtdf
Developer
Posts: 1431
Joined: February 10th, 2013, 2:25 pm

Re: Wesnoth 1.14.4

Post by gfgtdf »

It depends whether you play multiplayer it not. in single player, add-ons you have already installed don't suddenly become infected so it's not really a problem as long as you don't install new add-ons. In multiplayer the situation you have is different because other players can make your client execute any lua code.
Scenario with Robots SP scenario (1.11/1.12), allows you to build your units with components, PYR No preperation turn 1.12 mp-mod that allows you to select your units immideately after the game begins.
User avatar
Iris
Site Administrator
Posts: 6796
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: Wesnoth 1.14.4

Post by Iris »

gfgtdf wrote: July 24th, 2018, 9:43 am It depends whether you play multiplayer it not. in single player, add-ons you have already installed don't suddenly become infected so it's really a problem as long as you don't install new add-ons.
Or load save files from untrusted sources.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
Byron
Posts: 44
Joined: May 23rd, 2013, 7:41 am
Location: West Virginia

Re: Wesnoth 1.14.4

Post by Byron »

OK, thanks for the information. I only play single player. I will continue to use 1.10.7 & 1.12.6, as well as the new version. I've noticed a lot of new novice campaigns on the 1.14 server. Perhaps, it's time I gave some of these a try. Who knows, I might find a new favorite.

Regards
User avatar
Celtic_Minstrel
Developer
Posts: 2158
Joined: August 3rd, 2012, 11:26 pm
Location: Canada
Contact:

Re: Wesnoth 1.14.4

Post by Celtic_Minstrel »

And I only just downloaded 1.14.3 like, a week ago. Guess I'd better go download it again. >_>
Author of The Black Cross of Aleron campaign and Default++ era.
Former maintainer of Steelhive.
User avatar
BTIsaac
Posts: 428
Joined: December 7th, 2017, 7:30 am

Re: Wesnoth 1.14.4

Post by BTIsaac »

So if I don't play multiplayer over the internet, don't load suspicious saves and replays and don't download and play suspicious addons, I should be safe, right?

I'm still using 1.12 until I finish LotI, and I would like to keep it around for a few unported addons, namely the Ravagers, which I have not yet downloaded and Revansurik's campaigns, plus the War of Legends era that goes with it. I believe these are safe, right?

EDIT: Okay, so Ravagers is getting ported. If that's true for the other 5 addons too, I'll just ditch 1.12 entirely. Still need to wait for the mobile version though.
Tad_Carlucci
Inactive Developer
Posts: 503
Joined: April 24th, 2016, 4:18 pm

Re: Wesnoth 1.14.4

Post by Tad_Carlucci »

@BTIsaac .. at some point, everything you're playing came from the Internet. The question is third parties.

Note I don't say "trusted third parties" because that is folly. It means not only must you trust the Wesnoth servers, you must trust the package builder, and everyone you play with, and everyone they play with, and everyone THEY play with, and ... and ... and ... until, basically, you must have complete trust in everyone, living or not.

The question is one of "acceptable risk".

That's something you must decide for yourself.

We "strongly advise" because we suggest you upgrade unless you have a compelling reason not to, know the risks, and feel you've taken adequate precautions.
I forked real life and now I'm getting merge conflicts.
User avatar
BTIsaac
Posts: 428
Joined: December 7th, 2017, 7:30 am

Re: Wesnoth 1.14.4

Post by BTIsaac »

Yeah but I'm not playing with anyone and I'm not downloading any saves, trusted or otherwise. So that only leaves addons.
Tad_Carlucci
Inactive Developer
Posts: 503
Joined: April 24th, 2016, 4:18 pm

Re: Wesnoth 1.14.4

Post by Tad_Carlucci »

@BTIsaac .. In your case, maybe you can reduce your attack surface by removing unneeded addons?

You're not going to (or, you should be be able to) get anyone to say, "That's fine." We really don't know, so we strongly suggest you upgrade.

I know what I would feel safe doing. But if I tell you, you might take that as some indication it *is* safe for you. I don't know, so I won't say.
I forked real life and now I'm getting merge conflicts.
User avatar
BTIsaac
Posts: 428
Joined: December 7th, 2017, 7:30 am

Re: Wesnoth 1.14.4

Post by BTIsaac »

1.14.4 is not out on android just yet. I already removed unneeded addons and i don't intend to download new ones for 1.12.
User avatar
Iris
Site Administrator
Posts: 6796
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: Wesnoth 1.14.4

Post by Iris »

Celtic_Minstrel wrote: July 24th, 2018, 12:37 pm And I only just downloaded 1.14.3 like, a week ago. Guess I'd better go download it again. >_>
You of all people should've known it was coming. :P
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
Tad_Carlucci
Inactive Developer
Posts: 503
Joined: April 24th, 2016, 4:18 pm

Re: Wesnoth 1.14.4

Post by Tad_Carlucci »

Heck, I knew about it before I saw the proof copy of the announcements because I usually check on the overnight updates on my Arch box and noticed the package appear .. which prompted me to check the forums and, lo, there was the proof copy. Took me longer to root around in the commits to find the changeset, check the CVE mailing list so see what was there as well, and read the history on the Lua bug which is at the heart of the issue.
I forked real life and now I'm getting merge conflicts.
User avatar
Iris
Site Administrator
Posts: 6796
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

Re: Wesnoth 1.14.4

Post by Iris »

To clarify for the audience that has no idea what any of this is about, everyone active in the dev channel knew that 1.14.4 was coming (there was even a string freeze on the 1.14 branch) and was delayed for over a week because of this. Celtic wasn’t an exception and was even told to wait on merging certain patches because of the string freeze, hence the surprise.
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
User avatar
Celtic_Minstrel
Developer
Posts: 2158
Joined: August 3rd, 2012, 11:26 pm
Location: Canada
Contact:

Re: Wesnoth 1.14.4

Post by Celtic_Minstrel »

shadowm wrote: July 24th, 2018, 5:25 pm
Celtic_Minstrel wrote: July 24th, 2018, 12:37 pm And I only just downloaded 1.14.3 like, a week ago. Guess I'd better go download it again. >_>
You of all people should've known it was coming. :P
I think I didn't know yet when I downloaded it? Was probably more like two weeks ago. But yeah, I've certainly known about the upcoming 1.14.4 for awhile now.
Author of The Black Cross of Aleron campaign and Default++ era.
Former maintainer of Steelhive.
Locked