[wesnoth-commits] [wesnoth/wesnoth] 7f5ae3: Extend the first CVE-2018-1999023 unit test to als...

GitHub noreply at github.com
Sat Jul 28 05:10:08 UTC 2018 

  Branch: refs/heads/1.14
  Home:   https://github.com/wesnoth/wesnoth
  Commit: 7f5ae378162a866fc3bfc6201b01c3e708327d64
      https://github.com/wesnoth/wesnoth/commit/7f5ae378162a866fc3bfc6201b01c3e708327d64
  Author: Jyrki Vesterinen <sandgtx at gmail.com>
  Date:   2018-07-28 (Sat, 28 Jul 2018)

  Changed paths:
    M data/test/scenarios/test_cve_2018_1999023.cfg

  Log Message:
  -----------
  Extend the first CVE-2018-1999023 unit test to also try loadstring()

Like @gfgtdf pointed out, loadstring() is still supported by Lua in the
name of backwards compatibility, even though it was deprecated in Lua 5.2
and is no longer mentioned in Lua manual. Thus, as of committing this it's
actually possible to load Lua bytecode.

Let's unit test this to ensure that we don't reintroduce this
vulnerability.


  Commit: f4305cde33dbafa8818af2f75d35c61617cf81df
      https://github.com/wesnoth/wesnoth/commit/f4305cde33dbafa8818af2f75d35c61617cf81df
  Author: Jyrki Vesterinen <sandgtx at gmail.com>
  Date:   2018-07-28 (Sat, 28 Jul 2018)

  Changed paths:
    M src/scripting/lua_kernel_base.cpp

  Log Message:
  -----------
  Lua: also implement our own loadstring()

Fixes the vulnerability introduced in commit 52ae31efb21b31f5bb0763d1da24709e90393c59.

Note that loadstring() is still deprecated.


  Commit: a793bce969429c4c7993e6a5f96e6f36f06b1489
      https://github.com/wesnoth/wesnoth/commit/a793bce969429c4c7993e6a5f96e6f36f06b1489
  Author: Jyrki Vesterinen <sandgtx at gmail.com>
  Date:   2018-07-28 (Sat, 28 Jul 2018)

  Changed paths:
    M run_wml_tests
    M wml_test_schedule

  Log Message:
  -----------
  WML unit tests: disable strict mode for the first CVE-2018-1999023 test

The test calls a deprecated function (on purpose) and thus will always log
an error.


Compare: https://github.com/wesnoth/wesnoth/compare/abb754cd8bee...a793bce96942
      **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

More information about the Commits mailing list