Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

data: URIs on addon server are a potential security risk #4054

Open
spixi opened this issue Apr 28, 2019 · 5 comments

Comments

Projects
None yet
3 participants
@spixi
Copy link
Contributor

commented Apr 28, 2019

The addon server allows data: URIs for images. This may be a potential security risk. For example, when a user has a vulnerable version of libpng, an attacker can execute arbitrary code on the remote machine, just when the user opens the add-on menu (he does not even have to download an add-on). (libpng had some major vulnerabilities in the past, notable CVE-2014-9495 and CVE-2015-8540). Sure, other applications like web browsers have the same problem.

My suggestion is that the upload server does a plausibility check with pngcheck and refuses the upload, if the URI is a malformed PNG file.

@Wedge009 Wedge009 added the Add-ons label Apr 29, 2019

@Wedge009

This comment has been minimized.

Copy link
Member

commented Apr 29, 2019

Looks like the Steam version (as well as the wesnoth.org version, I assume) uses an old libpng 1.5.x. Wonder why - I use 1.6.x in my own builds just fine.

@spixi

This comment has been minimized.

Copy link
Contributor Author

commented Apr 29, 2019

My wesnoth is compiled against SDL2 Image 2.0.1, which requires libpng >= 1.6.10. I wonder where 1.5.x is used.

@Wedge009

This comment has been minimized.

Copy link
Member

commented Apr 29, 2019

I was looking at the Steam Windows binaries and there's a libpng15-15.dll. Same for the stand-alone Windows installer, both 1.14.7. Maybe have to ask the package maintainers what's going on.

@spixi

This comment has been minimized.

Copy link
Contributor Author

commented Apr 30, 2019

libpng 1.5.26 is not vulnerable, but 1.5.15 is.

@Wedge009

This comment has been minimized.

Copy link
Member

commented Apr 30, 2019

I don't know what the actual version is - the file name does not necessarily indicate 1.5.15. Naming convention for 1.6.x is the same: libpng16-16.dll

@sevu sevu added the Packaging label May 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.