[IMPORTANT] Security advisory for Wesnoth 1.7.0 ― 1.14.3

Get help with compiling or installing the game, and discuss announcements of new official releases.

Moderators: Forum Moderators, Developers

Locked
User avatar
shadowm
Site Administrator
Posts: 6499
Joined: November 14th, 2006, 5:54 pm
Location: Chile
Contact:

[IMPORTANT] Security advisory for Wesnoth 1.7.0 ― 1.14.3

Post by shadowm » July 24th, 2018, 1:51 am

Hello,

As mentioned in the Wesnoth 1.14.4 release announcement, all previous Wesnoth versions including Lua scripting support are affected by a security vulnerability which potentially allows a malicious party to execute arbitrary code through the Lua engine by using specially-crafted code in add-ons, saves, replays, or networked games. This affects versions 1.7.0 through 1.14.3, and is patched in 1.14.4. We strongly advise that players do not use versions older than 1.14.4 unless they have been patched by a downstream distributor.

CVE-2018-1999023 has been assigned to this issue. All known packagers have been contacted and may provide patched builds through their own distribution channels. Players on Steam with auto-updates enabled will be running version 1.14.4 already or as soon as they try to launch the game.

The tl;dr version:
  • Version 1.14.4 and later: not vulnerable
  • Version 1.14.3 and earlier: CVE-2018-1999023 (Lua engine sandbox escape/code injection leading to remote code execution)
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm.
Elsewhere: shadowmBlogFollow me on Twitter

Locked