Package: minetest Version: 5.3.0+repack-2.1+deb11u1 Severity: normal Tags: patch upstream X-Debbugs-Cc: nils+debian-report...@dieweltistgarnichtso.net
Dear Maintainer, Minetest before version 5.5.0 has an implementation of the function minetest.find_nodes_in_area() that can be used by clients to hang a server. Attached is a proof of concept Lua code to this bug report; you can run the “/areatest” command to crash Minetest with an error message that states “area volume exceeds allowed value of 4096000”. This issue is security-relevant: It can be used by clients to crash or hang the server, depending on the exact coordinates given to the function minetest.find_nodes_in_area(). Minetest issue: <https://github.com/minetest/minetest/issues/11769> Note that the upstream fix for this is actually faulty, as Minetest developers reused the constant MAX_MAP_GENERATION_LIMIT, neglegting that it is unsuited for bounds checking – as the map generator only stops after overrunning it. Basically: Minetest developers have bad understanding of how Minetest map generator works at map boundaries and are unwilling to introduce bounds checks in advance of anything proven to crash or hang for fear of performance losses. Minetest patch: <https://github.com/minetest/minetest/pull/11770> Again, the above patch is faulty and should not be applied – it has caused at least one other bug. which may or may not be mitigated by raising MAX_MAP_GENERATION_LIMIT to 31007 (I am unsure about that … it might be that the current version of Minetest still has issues). Minetest bug: <https://github.com/minetest/minetest/issues/11828> Before Minetest upstream came up with their questionable fix, I had come up with a fix which wraps around minetest.find_nodes_in_area() to prevent the crash. It is fully unit-tested, AFAIK it works 100%. You can see the entire patch and the unit test for it here: <https://git.minetest.land/Mineclonia/Mineclonia/pulls/169> It is written in the form of Lua wrapper code for Minetest. If you are unsure on how to integrate it, I can try to help. -- System Information: Debian Release: 11.3 APT prefers stable APT policy: (900, 'stable'), (500, 'oldoldstable') Architecture: i386 (i686) Kernel: Linux 5.10.0-10-686 (SMP w/2 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages minetest depends on: ii libc6 2.31-13+deb11u3 ii libcurl3-gnutls 7.74.0-1.3+deb11u1 ii libfreetype6 2.10.4+dfsg-1 ii libgcc-s1 10.2.1-6 ii libgmp10 2:6.2.1+dfsg-1+deb11u1 ii libirrlicht1.8 1.8.4+dfsg1-1.1 ii libjsoncpp24 1.9.4-4 ii libleveldb1d 1.22-3 ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.3 ii libncursesw6 6.2+20201114-2 ii libopenal1 1:1.19.1-2 ii libpq5 13.5-0+deb11u1 ii libspatialindex6 1.9.3-2 ii libsqlite3-0 3.34.1-3 ii libstdc++6 10.2.1-6 ii libtinfo6 6.2+20201114-2 ii libvorbisfile3 1.3.7-1 ii libx11-6 2:1.7.2-1 ii minetest-data 5.3.0+repack-2.1+deb11u1 ii zlib1g 1:1.2.11.dfsg-2 minetest recommends no packages. Versions of packages minetest suggests: pn minetest-mod-moreblocks <none> pn minetest-mod-moreores <none> pn minetest-mod-pipeworks <none> pn minetest-server <none> pn minetestmapper <none> -- no debconf information
