[wesnoth] 01/01: Pull af61f9fd from upstream to fix CVE-2015-0844

Gerfried Fuchs rhonda at debian.org
Fri Apr 17 13:24:53 UTC 2015 

This is an automated email from the git hooks/post-receive script.

rhonda pushed a commit to branch squeeze
in repository wesnoth.

commit f17e501c8aca07d623996f930ecb588a4de1f64e
Author: Rhonda D'Vine <rhonda at debian.org>
Date:   Fri Apr 17 15:11:05 2015 +0200

    Pull af61f9fd from upstream to fix CVE-2015-0844
---
 debian/changelog                                   |  7 +++
 debian/control                                     |  2 +-
 debian/control.in                                  |  2 +-
 .../af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch | 53 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 5 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 44105d0..4496416 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wesnoth-1.8 (1:1.8.5-1+deb6u1) squeeze-lts; urgency=high
+
+  * Pull af61f9fd from upstream to fix "Private file disclosure through
+    get_wml_location()" (CVE-2015-0844)
+
+ -- Rhonda D'Vine <rhonda at debian.org>  Fri, 17 Apr 2015 14:26:30 +0200
+
 wesnoth-1.8 (1:1.8.5-1) unstable; urgency=low
 
   * New upstream stable release.
diff --git a/debian/control b/debian/control
index a341bfb..eaa0f81 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 7), quilt, libsdl-image1.2-dev, libfreetype6-dev,
   libboost-iostreams-dev, libboost-test-dev, libboost-regex-dev,
   libboost-serialization-dev, libpango1.0-dev, automake, liblua5.1-0-dev
 Standards-Version: 3.9.1
-Uploaders: Gerfried Fuchs <rhonda at debian.at>
+Uploaders: Rhonda D'Vine <rhonda at debian.org>
 Homepage: http://wesnoth.org/
 Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git
 Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary
diff --git a/debian/control.in b/debian/control.in
index 9fa259f..f7fcae8 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 7), quilt, libsdl-image1.2-dev, libfreetype6-dev,
   libboost-iostreams-dev, libboost-test-dev, libboost-regex-dev,
   libboost-serialization-dev, libpango1.0-dev, automake, liblua5.1-0-dev
 Standards-Version: 3.9.1
-Uploaders: Gerfried Fuchs <rhonda at debian.at>
+Uploaders: Rhonda D'Vine <rhonda at debian.org>
 Homepage: http://wesnoth.org/
 Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git
 Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary
diff --git a/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
new file mode 100644
index 0000000..e8077db
--- /dev/null
+++ b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
@@ -0,0 +1,53 @@
+From af61f9fdd15cd439da9e2fe5fa39d174c923eaae Mon Sep 17 00:00:00 2001
+From: "Ignacio R. Morelle" <shadowm at wesnoth.org>
+Date: Fri, 16 May 2014 01:45:18 -0400
+Subject: [PATCH] fs: Use game data path to resolve ./ in the absence of a
+ current_dir
+
+Fixes a file content disclosure bug (#22042) affecting functionality
+relying on the get_wml_location() function and not passing a non-empty
+value for the current_dir parameter.
+
+See <https://gna.org/bugs/?22042> for details.
+
+This is a candidate for the 1.10 and 1.12 branches.
+
+(Backported from master, commit 314425ab0e57b32909d324f7d4bf213d62cbd3b5.)
+---
+ changelog          |  1 +
+ src/filesystem.cpp | 14 ++++++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/src/filesystem.cpp
++++ b/src/filesystem.cpp
+@@ -1063,8 +1063,18 @@ std::string get_wml_location(const std::
+ 	else if (filename.size() >= 2 && filename[0] == '.' && filename[1] == '/')
+ 	{
+ 		// If the filename begins with a "./", look in the same directory
+-		// as the file currrently being preprocessed.
+-		result = current_dir + filename.substr(2);
++		// as the file currently being preprocessed.
++
++		if (!current_dir.empty())
++		{
++			result = current_dir;
++		}
++		else
++		{
++			result = game_config::path;
++		}
++
++		result += filename.substr(2);
+ 	}
+ 	else if (!game_config::path.empty())
+ 		result = game_config::path + "/data/" + filename;
+--- a/changelog
++++ b/changelog
+@@ -24,6 +24,7 @@ Version 1.8.5:
+    * Fix bug #15960 "again", making "Cancel" a separate action and not just
+      a duplicate of "OK."
+    * Fix crash when doing teleport+attack to a fogged village
++   * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs
+ 
+ Version 1.8.4:
+  * AI:
diff --git a/debian/patches/series b/debian/patches/series
index 57b6465..9b0fc18 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 02wesnoth-nolog-desktop-file
 03wesnothd-name
+af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/wesnoth.git

More information about the Pkg-games-commits mailing list