Your message dated Thu, 18 Aug 2022 21:51:37 +0000 with message-id <e1oonqp-00fypw...@fasolo.debian.org> and subject line Bug#1017548: fixed in minetest 5.5.0+dfsg+~1.9.0mt4+dfsg-2 has caused the Debian Bug report #1017548, regarding minetest: CVE-2022-35978 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1017548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017548 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: minetest Version: 5.5.0+dfsg+~1.9.0mt4+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for minetest, filling it as grave, but downgrade if you strongly disagree. CVE-2022-35978[0]: | Minetest is a free open-source voxel game engine with easy modding and | game creation. In **single player**, a mod can set a global setting | that controls the Lua script loaded to display the main menu. The | script is then loaded as soon as the game session is exited. The Lua | environment the menu runs in is not sandboxed and can directly | interfere with the user's system. There are currently no known | workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-35978 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35978 [1] https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc [2] https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: minetest Source-Version: 5.5.0+dfsg+~1.9.0mt4+dfsg-2 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of minetest, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1017...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated minetest package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Aug 2022 22:26:07 +0200 Source: minetest Architecture: source Version: 5.5.0+dfsg+~1.9.0mt4+dfsg-2 Distribution: unstable Urgency: medium Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1017548 Changes: minetest (5.5.0+dfsg+~1.9.0mt4+dfsg-2) unstable; urgency=medium . * Fix CVE-2022-35978: In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds. (Closes: #1017548) Checksums-Sha1: 63cc80c174fbe33615715a5b6c364ad3029ec147 3554 minetest_5.5.0+dfsg+~1.9.0mt4+dfsg-2.dsc 55b4791de588fcefeccb6c549733f796b6d64012 39356 minetest_5.5.0+dfsg+~1.9.0mt4+dfsg-2.debian.tar.xz 2d1e9e823e1cbd42c27ab6e001b7eefb74dd0e9c 16082 minetest_5.5.0+dfsg+~1.9.0mt4+dfsg-2_amd64.buildinfo Checksums-Sha256: 701f9290a78121f0c2195eadfb07864fa8a6e56da7b3e189a69781b0f47d9b63 3554 minetest_5.5.0+dfsg+~1.9.0mt4+dfsg-2.dsc 8aa05d35d22f6088a4c8570ff374c0e508342095507225283765d5d943d13fc2 39356 minetest_5.5.0+dfsg+~1.9.0mt4+dfsg-2.debian.tar.xz a893c4b025f12dec69da57afb173185607e064aaa71a2111937fe9e419b8c683 16082 minetest_5.5.0+dfsg+~1.9.0mt4+dfsg-2_amd64.buildinfo Files: 5514a37495f0501baf95de77d1b0c4a1 3554 games optional minetest_5.5.0+dfsg+~1.9.0mt4+dfsg-2.dsc c957ef2a863976bcc93a6db522c9a691 39356 games optional minetest_5.5.0+dfsg+~1.9.0mt4+dfsg-2.debian.tar.xz a9528f08c03e3f006369ec161f74f6a6 16082 games optional minetest_5.5.0+dfsg+~1.9.0mt4+dfsg-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmL+rV1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk9RUP/i50DISlRZ/aD7v64smM5MWVc56P1FxrK/ag VK8bGXI9zz4MtPst7B7jUttB0wvKNBUg+lw48DyVi8Pxv+N6VBreqYchJ3W+anpl aSUPVJHMw+5KwRrZGXsy2tuLL4DNtbTTWy34bqBF211eFsj8WofkmfPSC0rabTP9 1jez99Nsikqb3IVUnTd3z8DnctwWN3V1XzM8nXJ7bEPVbS25kr58r/cPymYRo7dY c5jwO0ERWUhVXgA/NXQycGA9+cKPVBoFNW/SMJZygV4ABF0rtcr3ACkjNisXSTz1 4HIyNKq9vwcVq4ZqAOqtl7csG4T9cPKX95yUNIM8QJEX1epFcw7gAEGP+CV7uJxK oZ0IroiX+Zk077D6nmN8PWPXLPLDz8CgzXOh+Q+MF/pi6Otg8LAHkKlXu5A+N6RK 7O7HIpPRPTx+LHYuqqPERvEO10My3G9qCFcXyXmu8j0I+7PZml6nfHe9RWWZYAcC HcNHQZcpSsUVlONC02KkjN/kglVoBM7NaylwTpqShNdSrY+X4jztnES4LIgMG/s/ 88Frp3Sq9xMC9YirJrCNZm4dMZi0GhKny8/CBpUgC6q21qc+WBxvgHWPwU6Y9ouN AOY/nqXDc9lrZlrjo8zFD1hH2OgSQIT4RvoiNQ/5zW7zU7XCpvHVEP6SxRmNLUfA ZUTw1w6b =/sGF -----END PGP SIGNATURE-----
--- End Message ---
