[wesnoth] 01/01: Pull af61f9fd from upstream to fix CVE-2015-0844
Gerfried Fuchs
rhonda at debian.org
Fri Apr 17 13:24:53 UTC 2015
This is an automated email from the git hooks/post-receive script.
rhonda pushed a commit to branch squeeze
in repository wesnoth.
commit f17e501c8aca07d623996f930ecb588a4de1f64e
Author: Rhonda D'Vine <rhonda at debian.org>
Date: Fri Apr 17 15:11:05 2015 +0200
Pull af61f9fd from upstream to fix CVE-2015-0844
---
debian/changelog | 7 +++
debian/control | 2 +-
debian/control.in | 2 +-
.../af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch | 53 ++++++++++++++++++++++
debian/patches/series | 1 +
5 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 44105d0..4496416 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wesnoth-1.8 (1:1.8.5-1+deb6u1) squeeze-lts; urgency=high
+
+ * Pull af61f9fd from upstream to fix "Private file disclosure through
+ get_wml_location()" (CVE-2015-0844)
+
+ -- Rhonda D'Vine <rhonda at debian.org> Fri, 17 Apr 2015 14:26:30 +0200
+
wesnoth-1.8 (1:1.8.5-1) unstable; urgency=low
* New upstream stable release.
diff --git a/debian/control b/debian/control
index a341bfb..eaa0f81 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 7), quilt, libsdl-image1.2-dev, libfreetype6-dev,
libboost-iostreams-dev, libboost-test-dev, libboost-regex-dev,
libboost-serialization-dev, libpango1.0-dev, automake, liblua5.1-0-dev
Standards-Version: 3.9.1
-Uploaders: Gerfried Fuchs <rhonda at debian.at>
+Uploaders: Rhonda D'Vine <rhonda at debian.org>
Homepage: http://wesnoth.org/
Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git
Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary
diff --git a/debian/control.in b/debian/control.in
index 9fa259f..f7fcae8 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 7), quilt, libsdl-image1.2-dev, libfreetype6-dev,
libboost-iostreams-dev, libboost-test-dev, libboost-regex-dev,
libboost-serialization-dev, libpango1.0-dev, automake, liblua5.1-0-dev
Standards-Version: 3.9.1
-Uploaders: Gerfried Fuchs <rhonda at debian.at>
+Uploaders: Rhonda D'Vine <rhonda at debian.org>
Homepage: http://wesnoth.org/
Vcs-Git: git://git.debian.org/git/pkg-games/wesnoth.git
Vcs-Browser: http://git.debian.org/?p=pkg-games/wesnoth.git;a=summary
diff --git a/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
new file mode 100644
index 0000000..e8077db
--- /dev/null
+++ b/debian/patches/af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
@@ -0,0 +1,53 @@
+From af61f9fdd15cd439da9e2fe5fa39d174c923eaae Mon Sep 17 00:00:00 2001
+From: "Ignacio R. Morelle" <shadowm at wesnoth.org>
+Date: Fri, 16 May 2014 01:45:18 -0400
+Subject: [PATCH] fs: Use game data path to resolve ./ in the absence of a
+ current_dir
+
+Fixes a file content disclosure bug (#22042) affecting functionality
+relying on the get_wml_location() function and not passing a non-empty
+value for the current_dir parameter.
+
+See <https://gna.org/bugs/?22042> for details.
+
+This is a candidate for the 1.10 and 1.12 branches.
+
+(Backported from master, commit 314425ab0e57b32909d324f7d4bf213d62cbd3b5.)
+---
+ changelog | 1 +
+ src/filesystem.cpp | 14 ++++++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/src/filesystem.cpp
++++ b/src/filesystem.cpp
+@@ -1063,8 +1063,18 @@ std::string get_wml_location(const std::
+ else if (filename.size() >= 2 && filename[0] == '.' && filename[1] == '/')
+ {
+ // If the filename begins with a "./", look in the same directory
+- // as the file currrently being preprocessed.
+- result = current_dir + filename.substr(2);
++ // as the file currently being preprocessed.
++
++ if (!current_dir.empty())
++ {
++ result = current_dir;
++ }
++ else
++ {
++ result = game_config::path;
++ }
++
++ result += filename.substr(2);
+ }
+ else if (!game_config::path.empty())
+ result = game_config::path + "/data/" + filename;
+--- a/changelog
++++ b/changelog
+@@ -24,6 +24,7 @@ Version 1.8.5:
+ * Fix bug #15960 "again", making "Cancel" a separate action and not just
+ a duplicate of "OK."
+ * Fix crash when doing teleport+attack to a fogged village
++ * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs
+
+ Version 1.8.4:
+ * AI:
diff --git a/debian/patches/series b/debian/patches/series
index 57b6465..9b0fc18 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
02wesnoth-nolog-desktop-file
03wesnothd-name
+af61f9fdd15cd439da9e2fe5fa39d174c923eaae.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/wesnoth.git
More information about the Pkg-games-commits
mailing list