Package: minetest-server Version: 5.3.0+repack-2.1 Severity: grave Tags: patch security Justification: user security hole X-Debbugs-Cc: nils+debian-report...@dieweltistgarnichtso.net, Debian Security Team <t...@security.debian.org>
Dear Maintainer, Minetest 5.3 contains a serious security issue by default. The ItemStack meta is not sanitized properly by the server. Is is therefore possible for clients to inject ItemStack meta. It might be possible to backdoor the server by injecting Lua. Computers running Minetest 5.3 are vulnerable to this exploit. The following patch, part of Minetest 5.4, fixes the problem: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae Greetings, Nils Moskopp -- System Information: Debian Release: 11.2 APT prefers oldoldstable APT policy: (500, 'oldoldstable'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.19.0-6-686 (SMP w/2 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages minetest-server depends on: ii adduser 3.118 ii init-system-helpers 1.60 ii libc6 2.31-13+deb11u2 ii libcurl3-gnutls 7.74.0-1.3+deb11u1 ii libgcc-s1 10.2.1-6 ii libgmp10 2:6.2.1+dfsg-1+deb11u1 ii libjsoncpp24 1.9.4-4 ii libleveldb1d 1.22-3 ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.3 ii libncursesw6 6.2+20201114-2 ii libpq5 13.5-0+deb11u1 ii libspatialindex6 1.9.3-2 ii libsqlite3-0 3.34.1-3 ii libstdc++6 10.2.1-6 ii libtinfo6 6.2+20201114-2 ii lsb-base 11.1.0 ii minetest-data 5.3.0+repack-2.1 ii zlib1g 1:1.2.11.dfsg-2 minetest-server recommends no packages. minetest-server suggests no packages. -- no debconf information
