Bug 405661 (CVE-2007-5742)
Summary: | CVE-2007-5742, CVE-2007-6201 wesnoth: multiple vulnerabilities | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Brian Pepple <bdpepple> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | rbu, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5742 | ||
Whiteboard: | |||
Fixed In Version: | 1.2.8-2.fc8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-12-03 11:40:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Hoger
2007-11-30 09:30:12 UTC
Brian, I've noticed new builds of 1.2.8 in Koji, which either failed or were canceled. Please consider mentioning CVE id in the RPM changelog. Thanks! (In reply to comment #1) > Brian, I've noticed new builds of 1.2.8 in Koji, which either failed or were > canceled. Please consider mentioning CVE id in the RPM changelog. Thanks! Yeah, the build is failing due to PulseAudio. Once I figure out how to fix it, I'll mention the CVE id in the changelog. 1.2.8 apparently fixes CVE-2007-6201 too. See https://bugs.gentoo.org/200789 for more details on impact and exploitability. (In reply to comment #3) > 1.2.8 apparently fixes CVE-2007-6201 too. Right, two CVE ids were assigned for wesnoth vulnerabilities: CVE-2007-5742: Directory traversal vulnerability in the WML engine preprocessor for Wesnoth before 1.2.8 allows remote attackers to read arbitrary files via ".." sequences in unknown vectors. References: http://www.wesnoth.org/forum/viewtopic.php?p=264289#264289 http://sourceforge.net/project/shownotes.php?release_id=557098 http://secunia.com/advisories/27786 http://www.frsirt.com/english/advisories/2007/4026 http://xforce.iss.net/xforce/xfdb/38752 http://www.securityfocus.com/bid/26626 CVE-2007-6201: Unspecified vulnerability in Wesnoth before 1.2.8 allows attackers to cause a denial of service (hang) via a "faulty add-on" and possibly execute other commands via unknown vectors related to the turn_cmd option. References: http://www.wesnoth.org/forum/viewtopic.php?p=264289#264289 http://sourceforge.net/project/shownotes.php?release_id=557098 http://secunia.com/advisories/27786 http://www.frsirt.com/english/advisories/2007/4026 http://xforce.iss.net/xforce/xfdb/38751 (In reply to comment #4) > See https://bugs.gentoo.org/200789 for more details on impact and > exploitability. Thanks Robert! Based on more information from Gentoo bug, this should probably be low. wesnoth-1.2.8-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. wesnoth-1.2.8-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. |