Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5742 to the following vulnerability: Versions prior to 1.2.8 and development branches prior to 1.3.12 are affected by a security vulneratiliby which allows attackers to view the content of files on the remote computer running Wesnoth. References: http://www.wesnoth.org/forum/viewtopic.php?p=264289#264289 http://secunia.com/advisories/27786/
Brian, I've noticed new builds of 1.2.8 in Koji, which either failed or were canceled. Please consider mentioning CVE id in the RPM changelog. Thanks!
(In reply to comment #1) > Brian, I've noticed new builds of 1.2.8 in Koji, which either failed or were > canceled. Please consider mentioning CVE id in the RPM changelog. Thanks! Yeah, the build is failing due to PulseAudio. Once I figure out how to fix it, I'll mention the CVE id in the changelog.
1.2.8 apparently fixes CVE-2007-6201 too.
See https://bugs.gentoo.org/200789 for more details on impact and exploitability.
(In reply to comment #3) > 1.2.8 apparently fixes CVE-2007-6201 too. Right, two CVE ids were assigned for wesnoth vulnerabilities: CVE-2007-5742: Directory traversal vulnerability in the WML engine preprocessor for Wesnoth before 1.2.8 allows remote attackers to read arbitrary files via ".." sequences in unknown vectors. References: http://www.wesnoth.org/forum/viewtopic.php?p=264289#264289 http://sourceforge.net/project/shownotes.php?release_id=557098 http://secunia.com/advisories/27786 http://www.frsirt.com/english/advisories/2007/4026 http://xforce.iss.net/xforce/xfdb/38752 http://www.securityfocus.com/bid/26626 CVE-2007-6201: Unspecified vulnerability in Wesnoth before 1.2.8 allows attackers to cause a denial of service (hang) via a "faulty add-on" and possibly execute other commands via unknown vectors related to the turn_cmd option. References: http://www.wesnoth.org/forum/viewtopic.php?p=264289#264289 http://sourceforge.net/project/shownotes.php?release_id=557098 http://secunia.com/advisories/27786 http://www.frsirt.com/english/advisories/2007/4026 http://xforce.iss.net/xforce/xfdb/38751
(In reply to comment #4) > See https://bugs.gentoo.org/200789 for more details on impact and > exploitability. Thanks Robert! Based on more information from Gentoo bug, this should probably be low.
wesnoth-1.2.8-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
wesnoth-1.2.8-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.