[wesnoth-commits] [wesnoth/wesnoth] aa73b8: Extend the first CVE-2018-1999023 unit test to als...

GitHub noreply at github.com
Sat Jul 28 05:19:27 UTC 2018 

  Branch: refs/heads/master
  Home:   https://github.com/wesnoth/wesnoth
  Commit: aa73b836009ca98cade2d0dfca6b99cbf8d19e76
      https://github.com/wesnoth/wesnoth/commit/aa73b836009ca98cade2d0dfca6b99cbf8d19e76
  Author: Jyrki Vesterinen <sandgtx at gmail.com>
  Date:   2018-07-28 (Sat, 28 Jul 2018)

  Changed paths:
    M data/test/scenarios/test_cve_2018_1999023.cfg

  Log Message:
  -----------
  Extend the first CVE-2018-1999023 unit test to also try loadstring()

Like @gfgtdf pointed out, loadstring() is still supported by Lua in the
name of backwards compatibility, even though it was deprecated in Lua 5.2
and is no longer mentioned in Lua manual. Thus, as of committing this it's
actually possible to load Lua bytecode.

Let's unit test this to ensure that we don't reintroduce this
vulnerability.


  Commit: 6450bada57f95af55c490f9d7601ef5e073cdaf1
      https://github.com/wesnoth/wesnoth/commit/6450bada57f95af55c490f9d7601ef5e073cdaf1
  Author: Jyrki Vesterinen <sandgtx at gmail.com>
  Date:   2018-07-28 (Sat, 28 Jul 2018)

  Changed paths:
    M src/scripting/lua_kernel_base.cpp

  Log Message:
  -----------
  Lua: delete loadstring()

Fixes the vulnerability introduced in commit 52ae31efb21b31f5bb0763d1da24709e90393c59.


  Commit: 74d8cfa98e0f61ee22a536fc06c2019c9c89aede
      https://github.com/wesnoth/wesnoth/commit/74d8cfa98e0f61ee22a536fc06c2019c9c89aede
  Author: Jyrki Vesterinen <sandgtx at gmail.com>
  Date:   2018-07-28 (Sat, 28 Jul 2018)

  Changed paths:
    M run_wml_tests

  Log Message:
  -----------
  WML unit tests: port ability to override strict mode from 1.14

The ability isn't needed in master because none of the unit tests call
deprecated functions here, but it may be useful in the future or make
cherry-picking of future changes easier.


Compare: https://github.com/wesnoth/wesnoth/compare/d13c451afb54...74d8cfa98e0f
      **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

More information about the Commits mailing list