FreeBSD : wesnoth -- disclosure of .pbl files with lowercase, uppercase, and mixed-case extension (2a8b7d21-1ecc-11e5-a4a5-002590263bf5)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Ignacio R. Morelle reports :

As mentioned in the Wesnoth 1.12.4 and Wesnoth 1.13.1 release
announcements, a security vulnerability targeting add-on authors was
found (bug #23504) which allowed a malicious user to obtain add-on
server passphrases from the client's .pbl files and transmit them over
the network, or store them in saved game files intended to be shared
by the victim. This vulnerability affects all existing releases up to
and including versions 1.12.2 and 1.13.0. Additionally, version 1.12.3
included only a partial fix that failed to guard users against
attempts to read from .pbl files with an uppercase or mixed-case
extension. CVE-2015-5069 and CVE-2015-5070 have been assigned to the
vulnerability affecting .pbl files with a lowercase extension, and
.pbl files with an uppercase or mixed-case extension, respectively.

See also :

http://forums.wesnoth.org/viewtopic.php?t=42776
http://forums.wesnoth.org/viewtopic.php?t=42775
http://www.nessus.org/u?a1867410

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 84483 ()

Bugtraq ID:

CVE ID: CVE-2015-5069
CVE-2015-5070

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now