Security advisory for 1.4.x

Get help with compiling or installing the game, and discuss announcements of new official releases.

Moderators: Forum Moderators, Developers

Post Reply
User avatar
ivanovic
Lord of Translations
Posts: 1146
Joined: September 28th, 2004, 10:10 pm
Location: Germany

Security advisory for 1.4.x

Post by ivanovic » March 2nd, 2009, 4:18 pm

Hi everybody!
As you might have read in the 1.5.11 release announcement, the support for PythonAI was removed. This was done to fix a vulnerability that could allow third-party content (such as campaigns downloaded from the add-on server) to execute arbitrary code with user account privileges. See https://gna.org/bugs/index.php?13048 for details. All content currently on the official add-on server has been inspected to confirm that none of it exploits this vulnerability, and the add-on server itself has been patched to ensure that exploits can no longer be uploaded. Therefore, users of previous versions of Battle for Wesnoth who have received user-made content through the official add-on server and no other distribution channel need not fear that their system has been compromised.

CVE-2009-0367 has been assigned to this vulnerability and may provide further information.

If you are still using 1.4.x and not 1.5.x (why are you doing so btw, switch to the latest dev version, it is "better" and even more stable...), we do advise you to disable Python support if you compiled the binary yourself. All known packagers were contacted and I know about reactions from some of them already. Users of the official Windows binary should not be affected since Python support in it was broken anyway.

benetnash
Posts: 3
Joined: November 7th, 2008, 7:05 pm

Re: Security advisor for 1.4.x

Post by benetnash » March 29th, 2009, 8:04 am

IMO it's quite silly. I.E. from the XUL level in firefox addons you can erase whole filesystem and firefox addons are still in use.

Instead of removing python support there should be community server where only trusted (examined by other users) scripts would be available. Other way is to make game to permit loading only signed scripts.

Daedal
Posts: 26
Joined: March 25th, 2009, 7:37 pm

Re: Security advisory for 1.4.x

Post by Daedal » April 3rd, 2009, 4:09 pm

ivanovic wrote:If you are still using 1.4.x and not 1.5.x (why are you doing so btw, switch to the latest dev version, it is "better" and even more stable...)
Anyone that plays BfW on Ubuntu Linux and hasn't wandered to this site or bothered to figure out how to obtain v1.6 is probably still at v1.4 because that's what's currently in the official Ubuntu repository. If they haven't been to this site they probably don't even know v1.6 exists.

Post Reply