OSDN > Find Software > Freeciv > Ticket List/Search > Ticket #45299

Freeciv

Ticket #45299
Ticket List Submit New Ticket RSS

Vulnerability with crafted modpack URL

Open Date: 2022-08-05 06:22 Last Update: 2022-08-05 07:17

monitor

Reporter:

Owner:

Type:

Status:

Closed

Component:

Modpack Installer

MileStone:

Priority:

5 - Medium

Severity:

5 - Medium

Resolution:

Fixed

File:

2

Details

Included Modpack Installer utility in freeciv versions < 2.6.7, and < 3.0.3 in freeciv-3.0 series, has a vulnerability in how it handles modpack URLs. Bad things can happen if an attacker can persuade user to enter their specifically crafted URL to the modpack installer.

This vulnerability has been fixed in freeciv-2.6.7 and freeciv-3.0.3.

Also a patch applicable for some of the earlier releases is attached.

Ticket History (3/4 Histories)

2022-08-05 06:22 Updated by: cazfi

New Ticket "Vulnerability (placeholder ticket)" created

2022-08-05 07:16 Updated by: cazfi

File 0001-fcmp-Fix-vulnerability-with-crafted-modpack-URLs.patch (File ID: 10000) is attached

2022-08-05 07:17 Updated by: cazfi

File 0001-fcmp-Fix-vulnerability-with-crafted-modpack-URLs.patch (File ID: 10001) is attached

2022-08-05 07:17 Updated by: cazfi

Status Update from Open to Closed
Resolution Update from None to Fixed
Component Update from (None) to Modpack Installer
Details Updated
Summary Updated

Attachment File List

0001-fcmp-Fix-vulnerability-with-crafted-modpack-URLs.patch(1KB)
- master, S3_1
0001-fcmp-Fix-vulnerability-with-crafted-modpack-URLs.patch(1KB)
- S3_0, S2_6

Edit