Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: wheezy Severity: normal X-Debbugs-CC: rho...@debian.org
Hi, I'd like to upload wesnoth-1.10/1:1.10.3-3+deb7u2 to wheezy-pu to fix CVE-2015-5069 and CVE-2015-5070 (these CVEs are marked no-dsa in the security tracker and the security team has asked me to get these CVEs fixed via a point update instead). These CVEs have already been fixed in sid as of wesnoth-1.12/1:1.12.4-1. Debdiff below, thanks! Regards, Vincent diff -Nru wesnoth-1.10-1.10.3/debian/changelog wesnoth-1.10-1.10.3/debian/changelog --- wesnoth-1.10-1.10.3/debian/changelog 2015-04-09 07:00:48.000000000 -0700 +++ wesnoth-1.10-1.10.3/debian/changelog 2015-07-01 13:51:32.000000000 -0700 @@ -1,3 +1,10 @@ +wesnoth-1.10 (1:1.10.3-3+deb7u2) wheezy; urgency=medium + + * Security fix: Disallowed inclusion of .pbl files from WML, independent of + extension case (CVE-2015-5069, CVE-2015-5070). + + -- Vincent Cheng <vch...@debian.org> Wed, 01 Jul 2015 13:30:12 -0700 + wesnoth-1.10 (1:1.10.3-3+deb7u1) wheezy-security; urgency=high * Pull af61f9fd from upstream to fix "Private file disclosure through diff -Nru wesnoth-1.10-1.10.3/debian/patches/CVE-2015-5069-CVE-2015-5070.patch wesnoth-1.10-1.10.3/debian/patches/CVE-2015-5069-CVE-2015-5070.patch --- wesnoth-1.10-1.10.3/debian/patches/CVE-2015-5069-CVE-2015-5070.patch 1969-12-31 16:00:00.000000000 -0800 +++ wesnoth-1.10-1.10.3/debian/patches/CVE-2015-5069-CVE-2015-5070.patch 2015-07-01 13:32:55.000000000 -0700 @@ -0,0 +1,23 @@ +Description: Disallowed inclusion of .pbl files from WML, independent of + extension case (CVE-2015-5069, CVE-2015-5070). +Origin: upstream, commits 055fea16479a755d6744a52f78f63548b692c440 + and d20f8015bc3653a10d6d4dfd751e62651d1180b7 +Bug: https://gna.org/bugs/?23504 +Last-Update: 2015-07-01 + +diff --git a/src/filesystem.cpp b/src/filesystem.cpp +index 7b4bd95..510da80 100644 +--- a/src/filesystem.cpp ++++ b/src/filesystem.cpp +@@ -1157,6 +1157,11 @@ std::string get_wml_location(const std::string &filename, const std::string &cur + return result; + } + ++ if (looks_like_pbl(filename)) { ++ ERR_FS << "Illegal path '" << filename << "' (.pbl files are not allowed)." << std::endl; ++ return result; ++ } ++ + bool already_found = false; + + if (filename[0] == '~') diff -Nru wesnoth-1.10-1.10.3/debian/patches/series wesnoth-1.10-1.10.3/debian/patches/series --- wesnoth-1.10-1.10.3/debian/patches/series 2015-04-08 10:14:12.000000000 -0700 +++ wesnoth-1.10-1.10.3/debian/patches/series 2015-07-01 13:51:48.000000000 -0700 @@ -1,3 +1,4 @@ 02wesnoth-nolog-desktop-file 03wesnothd-name af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch +CVE-2015-5069-CVE-2015-5070.patch -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
