Fixed security issue
We recently fixed a potential security issue in Widelands. The issue refers to Build15 and all development snapshots older than bzr revision 5875.
If you use one of those versions, we advice you to either update to a development version newer than bzr 5874 or to at least stay away from game servers hosted by users you do not know.
Until now nobody missused this issue and the risk seems small that someone will. However as with all security problems from any program: "Better take the safe way!"
We are working towards a speedy release of Build16-rc1 - that RC release will contain the fix as well.
What is the problem exactly ?
It would theoretically be possible that someone modifies his/her own game
server to abuse the saved game/map transfer functionality of Widelands, to
replace files on the systems of the users that connect to his game server. The
widelands client part does trust the path that is send by the server, so any
file on the client system which is writable by the user who started widelands could be
overwritten if a malicious server sends a file path like /home/username/.bashrc
.
What can I do to be save ?
As mentioned, updating is a good idea. Build 16 will contain the fix. If your stuck with build 15 only join games of people you trust. If you are only playing single player, you are save as well.
We apologize for any inconvenience.
0 comments Posted by Nasenbaer on 2011-03-15, 20:56