Bug ID 1102154
Summary VUL-0: CVE-2018-1999023: wesnoth: Arbitrary code execution/sandbox escape via untrusted lua code
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.3
Hardware Other
URL https://smash.suse.de/issue/211373/
OS Other
Status NEW
Severity Major
Priority P5 - None
Component Security
Assignee hhetter@suse.com
Reporter jsegitz@suse.com
QA Contact security-team@suse.de
Found By Security Response Team
Blocker --- 

CVE-2018-1999023

Description:

The Wesnoth game engine uses the vanilla Lua programming language library to 
implement most of its game scripting capabilities. Lua is able to execute 
bytecode using its load(), loadfile(), loadstring(), dofile(), and require() 
functions. Wesnoth in particular exposes load(), loadstring(), and two 
wrappers for the former in the form of wesnoth.dofile() and wesnoth.require(), 
without making sure to disable the ability to load and execute bytecode.

It has been documented [1] that it is possible to exploit the Lua load 
functions to execute untrusted bytecode that can then bypass sandbox measures, 
or even gain and abuse special knowledge about the process' memory layout.

  [1] https://gist.github.com/corsix/6575486

Wesnoth executes Lua code from untrusted local files either written by players 
or downloaded through a player content distribution server, as well as from 
data sent over the network in multiplayer games; thus this vulnerability is 
rather severe as it can be exploited remotely by malicious parties without the 
user's knowledge.

This issue was found by Daniel Dr�ger, a Wesnoth developer, and author of an 
unmerged patch fixing it.


Affected versions:

All existing versions of Wesnoth with the Lua scripting capability, i.e. 
versions 1.7.0 through 1.14.3.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1999023
http://seclists.org/oss-sec/2018/q3/55

You are receiving this mail because: