Re: CVE request: Wesnoth authentication information disclosure

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> the function did not explicitly disallow files with the .pbl
> extension. The contents of these files could thus be stored in saved game
> files or even transmitted directly to other users in a networked game. Among
> the information that's compromised is a user-defined passphrase used to
> authenticate uploads to the game's content server.

>  * Original fix for lowercase extensions only:
>    https://github.com/wesnoth/wesnoth/commit/f8914468182e8d0a1551b430c0879ba236fe4d6d

Use CVE-2015-5069 for the vulnerability in versions before 1.12.3 that
allowed access upon supplying a pathname ending in .pbl (lowercase).


>  * More general, correct fix:
>    https://github.com/wesnoth/wesnoth/commit/b2738ffb2fdd2550ececb74f76f75583c43c8b59

Use CVE-2015-5070 for the vulnerability in versions 1.12.3 and earlier
that allowed access upon supplying a pathname ending with a mixed-case
or uppercase .pbl.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVi+mXAAoJEKllVAevmvmsGaIIAIIzteLwsh5u6Ttwgt4wevWs
4p9zkaTwz5ly0NNRe/uB3MZrqUya8trLNPsqqGMqdNxcYXicDaWwP9VnOggAGplc
B+Qi1cpIek2rELlLHRvja8i9HJfFqJ4R1Tn7laff6oMZO0Arw8Dyh6uKowcz9Sqs
n5s3D1iP/NZqo7hVjqL4Nm1naO7tj4wGRVOo31zgwrP6Lw+ohQtzB9Hc5ZPY28vH
D/gUlfHYnyXq5u/pSIMmCJUhmVwnoRbAonrkwcu07sfoKGWN9O4swgJSJybY5Nse
1dSztK97/kcyF5Txm8tNamL1wElnhnfNkJcR9x37bhCKBGaO+oW6K8CdJ6RmTEk=
=yk02
-----END PGP SIGNATURE-----