Bug#1004223: minetest-server: ItemStack meta injection vulnerability in Minetest 5.3
Nils Dagsson Moskopp
nils+debian-reportbug at dieweltistgarnichtso.net
Sun Jan 23 02:46:24 GMT 2022
Package: minetest-server
Version: 5.3.0+repack-2.1
Severity: grave
Tags: patch security
Justification: user security hole
X-Debbugs-Cc: nils+debian-reportbug at dieweltistgarnichtso.net, Debian Security Team <team at security.debian.org>
Dear Maintainer,
Minetest 5.3 contains a serious security issue by default.
The ItemStack meta is not sanitized properly by the server.
Is is therefore possible for clients to inject ItemStack meta.
It might be possible to backdoor the server by injecting Lua.
Computers running Minetest 5.3 are vulnerable to this exploit.
The following patch, part of Minetest 5.4, fixes the problem:
https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae
Greetings,
Nils Moskopp
-- System Information:
Debian Release: 11.2
APT prefers oldoldstable
APT policy: (500, 'oldoldstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 4.19.0-6-686 (SMP w/2 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages minetest-server depends on:
ii adduser 3.118
ii init-system-helpers 1.60
ii libc6 2.31-13+deb11u2
ii libcurl3-gnutls 7.74.0-1.3+deb11u1
ii libgcc-s1 10.2.1-6
ii libgmp10 2:6.2.1+dfsg-1+deb11u1
ii libjsoncpp24 1.9.4-4
ii libleveldb1d 1.22-3
ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.3
ii libncursesw6 6.2+20201114-2
ii libpq5 13.5-0+deb11u1
ii libspatialindex6 1.9.3-2
ii libsqlite3-0 3.34.1-3
ii libstdc++6 10.2.1-6
ii libtinfo6 6.2+20201114-2
ii lsb-base 11.1.0
ii minetest-data 5.3.0+repack-2.1
ii zlib1g 1:1.2.11.dfsg-2
minetest-server recommends no packages.
minetest-server suggests no packages.
-- no debconf information
More information about the Pkg-games-devel
mailing list