[Bug 1102154] New: VUL-0: CVE-2018-1999023: wesnoth: Arbitrary code execution/sandbox escape via untrusted lua code
http://bugzilla.opensuse.org/show_bug.cgi?id=1102154 Bug ID: 1102154 Summary: VUL-0: CVE-2018-1999023: wesnoth: Arbitrary code execution/sandbox escape via untrusted lua code Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/211373/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: hhetter@suse.com Reporter: jsegitz@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2018-1999023 Description: The Wesnoth game engine uses the vanilla Lua programming language library to implement most of its game scripting capabilities. Lua is able to execute bytecode using its load(), loadfile(), loadstring(), dofile(), and require() functions. Wesnoth in particular exposes load(), loadstring(), and two wrappers for the former in the form of wesnoth.dofile() and wesnoth.require(), without making sure to disable the ability to load and execute bytecode. It has been documented [1] that it is possible to exploit the Lua load functions to execute untrusted bytecode that can then bypass sandbox measures, or even gain and abuse special knowledge about the process' memory layout. [1] https://gist.github.com/corsix/6575486 Wesnoth executes Lua code from untrusted local files either written by players or downloaded through a player content distribution server, as well as from data sent over the network in multiplayer games; thus this vulnerability is rather severe as it can be exploited remotely by malicious parties without the user's knowledge. This issue was found by Daniel Dräger, a Wesnoth developer, and author of an unmerged patch fixing it. Affected versions: All existing versions of Wesnoth with the Lua scripting capability, i.e. versions 1.7.0 through 1.14.3. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1999023 http://seclists.org/oss-sec/2018/q3/55 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com