Package: wesnoth-1.12 / 1:1.12.6-1+deb9u1

04CVE-2018-1999023 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
Author: gfgtdf	vim:ft=diff:
Description: disallow loading lua bytecode via load/dofile (CVE-2018-1999023)
Origin: upstream, https://github.com/wesnoth/wesnoth/commit/d911268

--- a/src/ai/lua/core.cpp
+++ b/src/ai/lua/core.cpp
@@ -913,7 +913,7 @@
 
 lua_ai_context* lua_ai_context::create(lua_State *L, char const *code, ai::engine_lua *engine)
 {
-	int res_ai = luaL_loadstring(L, code);//stack size is now 1 [ -1: ai_context]
+	int res_ai = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t"); // [-1: AI code]
 	if (res_ai)
 	{
 
@@ -943,7 +943,7 @@
 
 lua_ai_action_handler* lua_ai_action_handler::create(lua_State *L, char const *code, lua_ai_context &context)
 {
-	int res = luaL_loadstring(L, code);//stack size is now 1 [ -1: f]
+	int res = luaL_loadbufferx(L, code, strlen(code), /*name*/ code, "t");//stack size is now 1 [ -1: f]
 	if (res)
 	{
 		char const *m = lua_tostring(L, -1);
--- a/src/lua/lbaselib.cpp
+++ b/src/lua/lbaselib.cpp
@@ -310,16 +310,17 @@
   size_t l;
   const char *s = lua_tolstring(L, 1, &l);
   const char *mode = luaL_optstring(L, 3, "bt");
+  (void) mode;
   int env = (!lua_isnone(L, 4) ? 4 : 0);  /* 'env' index or 0 if no 'env' */
   if (s != NULL) {  /* loading a string? */
     const char *chunkname = luaL_optstring(L, 2, s);
-    status = luaL_loadbufferx(L, s, l, chunkname, mode);
+    status = luaL_loadbufferx(L, s, l, chunkname, "t");
   }
   else {  /* loading from a reader function */
     const char *chunkname = luaL_optstring(L, 2, "=(load)");
     luaL_checktype(L, 1, LUA_TFUNCTION);
     lua_settop(L, RESERVEDSLOT);  /* create reserved slot */
-    status = lua_load(L, generic_reader, NULL, chunkname, mode);
+    status = lua_load(L, generic_reader, NULL, chunkname, "t");
   }
   return load_aux(L, status, env);
 }
--- a/src/scripting/lua.cpp
+++ b/src/scripting/lua.cpp
@@ -1052,7 +1052,7 @@
 		//lua uses '@' to know that this is a file (as opposed to a something as opposed to something loaded via loadstring )
 		std::string chunkname = '@' + fname;
 		LOG_LUA << "starting to read from " << fname << "\n";
-		return  lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), NULL);
+		return  lua_load(L, &lua_filestream::lua_read_data, &lfs, chunkname.c_str(), "t");
 	}
 private:
 	char buff_[LUAL_BUFFERSIZE];
@@ -4239,7 +4239,9 @@
 	lua_State *L = mState;
 
 	// Compile script into a variadic function.
-	int res = luaL_loadstring(L, prog);
+	// pass 't' to prevent loading bytecode which is unsafe and can be used to escape the sandbox.
+	// todo: maybe allow a 'name' parameter to give better error messages.
+	int res = luaL_loadbufferx(L, prog, strlen(prog), /*name*/ prog, "t");
 	if (res)
 	{
 		char const *m = lua_tostring(L, -1);