r8938 - in packages/branches/wesnoth/experimental: . debian debian/patches

Gerfried Fuchs alfie at alioth.debian.org
Tue Feb 24 17:49:46 UTC 2009 

Author: alfie
Date: 2009-02-24 17:49:46 +0000 (Tue, 24 Feb 2009)
New Revision: 8938

Added:
   packages/branches/wesnoth/experimental/debian/patches/03fix-server-dos
Modified:
   packages/branches/wesnoth/experimental/
   packages/branches/wesnoth/experimental/debian/changelog
   packages/branches/wesnoth/experimental/debian/control
   packages/branches/wesnoth/experimental/debian/patches/02wesnoth-nolog-desktop-file
   packages/branches/wesnoth/experimental/debian/patches/series
   packages/branches/wesnoth/experimental/debian/rules
Log:
wesnoth (1:1.5.11-1) experimental; urgency=high
  * New upstream release, which addresses several severe bugs:
    - Removed python AI support which allowed to break out of sandbox and
      allowed execution of abitrary code (CVE-2009-0367, Upstream Bug #13048).
      Remove python-dev from Build-Dependencies and related compile option
      from debian/rules.
    - Limiting map size to 200x200 to avoid hanging of wesnoth/exhausting
      system memory (Upstream Bug #13031)
  * Pulled patch fix-server-dos from upstream svn r33069 which fixes a DoS
    pattern in the server, which came in a bit too late for the release
    (CVE-2009-0366, Upstream Bug #13037)
  * Don't chmod +x on wesnoth/wmlgrammar.py tools file anymore.



Property changes on: packages/branches/wesnoth/experimental
___________________________________________________________________
Name: svn-bp:origUrl
   - http://pkg-games.alioth.debian.org/tarballs/wesnoth_1.5.10.orig.tar.gz

   + http://pkg-games.alioth.debian.org/tarballs/wesnoth_1.5.11.orig.tar.gz


Modified: packages/branches/wesnoth/experimental/debian/changelog
===================================================================
--- packages/branches/wesnoth/experimental/debian/changelog	2009-02-24 16:43:59 UTC (rev 8937)
+++ packages/branches/wesnoth/experimental/debian/changelog	2009-02-24 17:49:46 UTC (rev 8938)
@@ -1,3 +1,19 @@
+wesnoth (1:1.5.11-1) experimental; urgency=high
+
+  * New upstream release, which addresses several severe bugs:
+    - Removed python AI support which allowed to break out of sandbox and
+      allowed execution of abitrary code (CVE-2009-0367, Upstream Bug #13048).
+      Remove python-dev from Build-Dependencies and related compile option
+      from debian/rules.
+    - Limiting map size to 200x200 to avoid hanging of wesnoth/exhausting
+      system memory (Upstream Bug #13031)
+  * Pulled patch fix-server-dos from upstream svn r33069 which fixes a DoS
+    pattern in the server, which came in a bit too late for the release
+    (CVE-2009-0366, Upstream Bug #13037)
+  * Don't chmod +x on wesnoth/wmlgrammar.py tools file anymore.
+
+ -- Gerfried Fuchs <rhonda at debian.at>  Tue, 24 Feb 2009 16:10:36 +0100
+
 wesnoth (1:1.5.10-1) experimental; urgency=low
 
   * Second beta for upcoming 1.6 release.

Modified: packages/branches/wesnoth/experimental/debian/control
===================================================================
--- packages/branches/wesnoth/experimental/debian/control	2009-02-24 16:43:59 UTC (rev 8937)
+++ packages/branches/wesnoth/experimental/debian/control	2009-02-24 17:49:46 UTC (rev 8938)
@@ -4,7 +4,7 @@
 Maintainer: Debian Games Team <pkg-games-devel at lists.alioth.debian.org>
 Build-Depends: debhelper (>= 5), quilt, libsdl-image1.2-dev, libfreetype6-dev,
   libsdl-mixer1.2-dev, libsdl-net1.2-dev, libfribidi-dev, libsdl1.2-dev,
-  libsdl-ttf2.0-dev (>= 2.0.8), python-dev (>= 2.3), python-support,
+  libsdl-ttf2.0-dev (>= 2.0.8), python-support,
   libboost-iostreams1.37-dev, libboost-test1.37-dev, libboost-regex1.37-dev,
   libpango1.0-dev
 Standards-Version: 3.8.0

Modified: packages/branches/wesnoth/experimental/debian/patches/02wesnoth-nolog-desktop-file
===================================================================
--- packages/branches/wesnoth/experimental/debian/patches/02wesnoth-nolog-desktop-file	2009-02-24 16:43:59 UTC (rev 8937)
+++ packages/branches/wesnoth/experimental/debian/patches/02wesnoth-nolog-desktop-file	2009-02-24 17:49:46 UTC (rev 8938)
@@ -1,10 +1,10 @@
 Author: Gerfried Fuchs <rhonda at debian.at>	vim:ft=diff:
 Description: call wesnoth-nolog from desktop file, too
 
-Index: wesnoth-1.5.2/icons/wesnoth.desktop
+Index: wesnoth-1.5.11/icons/wesnoth.desktop
 ===================================================================
---- wesnoth-1.5.2.orig/icons/wesnoth.desktop
-+++ wesnoth-1.5.2/icons/wesnoth.desktop
+--- wesnoth-1.5.11.orig/icons/wesnoth.desktop
++++ wesnoth-1.5.11/icons/wesnoth.desktop
 @@ -44,6 +44,6 @@ Comment[sk]=Ťahová strategická hra z 
  Comment[sr]=Фантазијска стратешка игра на потезе
  Comment[sr at latin]=Fantazijska strateška igra na poteze

Added: packages/branches/wesnoth/experimental/debian/patches/03fix-server-dos
===================================================================
--- packages/branches/wesnoth/experimental/debian/patches/03fix-server-dos	                        (rev 0)
+++ packages/branches/wesnoth/experimental/debian/patches/03fix-server-dos	2009-02-24 17:49:46 UTC (rev 8938)
@@ -0,0 +1,19 @@
+Author: dave	vim:ft=diff:
+Description: fixed DoS attack using z compressed WML on server
+	(upstream svn r33069)
+
+Index: wesnoth-1.5.11/src/server/simple_wml.cpp
+===================================================================
+--- wesnoth-1.5.11.orig/src/server/simple_wml.cpp
++++ wesnoth-1.5.11/src/server/simple_wml.cpp
+@@ -28,6 +28,10 @@ char* uncompress_buffer(const string_spa
+ 	int len = 0;
+ 	int pos = 0;
+ 	while(filter.good() && (len = filter.read(&buf[pos], chunk_size).gcount()) == chunk_size) {
++		if(pos + chunk_size > 40000000) {
++			throw error("WML document exceeds 40MB limit");
++		}
++
+ 		pos += len;
+ 		buf.resize(pos + chunk_size);
+ 		len = 0;

Modified: packages/branches/wesnoth/experimental/debian/patches/series
===================================================================
--- packages/branches/wesnoth/experimental/debian/patches/series	2009-02-24 16:43:59 UTC (rev 8937)
+++ packages/branches/wesnoth/experimental/debian/patches/series	2009-02-24 17:49:46 UTC (rev 8938)
@@ -1 +1,2 @@
 02wesnoth-nolog-desktop-file
+03fix-server-dos

Modified: packages/branches/wesnoth/experimental/debian/rules
===================================================================
--- packages/branches/wesnoth/experimental/debian/rules	2009-02-24 16:43:59 UTC (rev 8937)
+++ packages/branches/wesnoth/experimental/debian/rules	2009-02-24 17:49:46 UTC (rev 8938)
@@ -21,7 +21,7 @@
         CFLAGS += -O2
 endif
 
-CONFIGURE_SWITCHES = --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --disable-rpath --prefix=/usr --mandir=\$${prefix}/share/man --bindir=\$${prefix}/games --with-datadir-name=wesnoth --with-localedir=\$${prefix}/share/locale --with-fifodir=/var/run/wesnothd --datadir=\$${prefix}/share/games --enable-server --enable-python --with-fribidi --enable-python-install CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs"
+CONFIGURE_SWITCHES = --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --disable-rpath --prefix=/usr --mandir=\$${prefix}/share/man --bindir=\$${prefix}/games --with-datadir-name=wesnoth --with-localedir=\$${prefix}/share/locale --with-fifodir=/var/run/wesnothd --datadir=\$${prefix}/share/games --enable-server --with-fribidi --enable-python-install CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs"
 
 
 # calculate the version strings
@@ -86,7 +86,7 @@
 			pkgdatadir=/usr/share/games/wesnoth
 
 	cd $(CURDIR)/debian/tmp/usr/share/games/wesnoth/data/tools && chmod +x \
-		extractbindings unit_tree/TeamColorizer wesnoth/wmlgrammar.py \
+		extractbindings unit_tree/TeamColorizer \
 		wesnoth/wescamp.py wesnoth/wmldata.py wesnoth/wmlparser.py \
 		wmlindent wmllint wmlscope wesnoth_addon_manager wmltest

More information about the Pkg-games-commits mailing list