[IMPORTANT] Security advisory for Wesnoth 1.7.0 ― 1.14.3

Get help with compiling or installing the game, and discuss announcements of new official releases.

Moderator: Forum Moderators

User avatar
Site Administrator
Posts: 6730
Joined: November 14th, 2006, 5:54 pm
Location: Chile

[IMPORTANT] Security advisory for Wesnoth 1.7.0 ― 1.14.3

Post by Iris »


As mentioned in the Wesnoth 1.14.4 release announcement, all previous Wesnoth versions including Lua scripting support are affected by a security vulnerability which potentially allows a malicious party to execute arbitrary code through the Lua engine by using specially-crafted code in add-ons, saves, replays, or networked games. This affects versions 1.7.0 through 1.14.3, and is patched in 1.14.4. We strongly advise that players do not use versions older than 1.14.4 unless they have been patched by a downstream distributor.

CVE-2018-1999023 has been assigned to this issue. All known packagers have been contacted and may provide patched builds through their own distribution channels. Players on Steam with auto-updates enabled will be running version 1.14.4 already or as soon as they try to launch the game.

The tl;dr version:
  • Version 1.14.4 and later: not vulnerable
  • Version 1.14.3 and earlier: CVE-2018-1999023 (Lua engine sandbox escape/code injection leading to remote code execution)
Author of the unofficial UtBS sequels Invasion from the Unknown and After the Storm (now available for Wesnoth 1.14.x and 1.15.4+).