Security vulnerability in Unshield

Everything about development and the OpenMW source code.
Post Reply
maqifrnswa
Posts: 179
Joined: 14 Jan 2013, 03:57

Security vulnerability in Unshield

Post by maqifrnswa » 05 Oct 2016, 14:41

Hello all,

openmw uses unshield to extract the original data files, recently a security vulnerability has been found in unshield (CVE-2015-1386). There isn't any sanitation of '../' from filenames, so it is susceptible to path traversal attacks. You can imagine someone creating fake (or pirated) game content, or compromising steam or some other distribution site, and replacing the real content with malicious code that exploits this vulnerability by placing malicious code anywhere on your file system.

Good news is the fix seems easy, I just won't have time to write and test a patch. The author points out the part of relevant code, and I proposed a strategy to fix it here:
https://github.com/twogood/unshield/issues/42

and it is issue number 42, so you know this is important!

-maq
Last edited by Jyby on 28 Dec 2016, 22:23, edited 1 time in total.
Reason: Renamed inaccurate topic subject

User avatar
raevol
Posts: 2743
Joined: 07 Aug 2011, 01:12
Location: Caldera

Re: Hackers wanted to (indirectly) help out openmw security

Post by raevol » 06 Oct 2016, 08:08

Ace, does this seem like something we should take action on?

User avatar
psi29a
Posts: 4077
Joined: 29 Sep 2011, 10:13
Github profile: https://github.com/psi29a/
Contact:

Re: Hackers wanted to (indirectly) help out openmw security

Post by psi29a » 06 Oct 2016, 08:11

Well if unshield gets punted from Debian/Ubuntu, then we'll be without our openmw-wizard on those systems.

User avatar
raevol
Posts: 2743
Joined: 07 Aug 2011, 01:12
Location: Caldera

Re: Hackers wanted to (indirectly) help out openmw security

Post by raevol » 06 Oct 2016, 08:12

Oh shoot, I confused this for a Windows issue.

User avatar
psi29a
Posts: 4077
Joined: 29 Sep 2011, 10:13
Github profile: https://github.com/psi29a/
Contact:

Re: Hackers wanted to (indirectly) help out openmw security

Post by psi29a » 06 Oct 2016, 08:27

It's an every OS problem. ;)

User avatar
Ace (SWE)
Posts: 794
Joined: 15 Aug 2011, 14:56

Re: Hackers wanted to (indirectly) help out openmw security

Post by Ace (SWE) » 08 Oct 2016, 10:15

I think it's actually an every OS but Windows problem, don't think the current OpenMW builds can use unshield on Windows.
Not that you really need to.

nwah
Posts: 40
Joined: 21 Nov 2013, 07:40

Re: Hackers wanted to (indirectly) help out openmw security

Post by nwah » 16 Dec 2016, 01:46

Ace, I'm in favor of allowing the use of unshield on Windows. I don't want ancient DirectX packages clogging up my system, etc. I think the openmw installer is faster and nicer, and being open source is something we can more confidently support.

User avatar
Ace (SWE)
Posts: 794
Joined: 15 Aug 2011, 14:56

Re: Hackers wanted to (indirectly) help out openmw security

Post by Ace (SWE) » 28 Dec 2016, 20:31

Nobody's really bothered to get the unshield code to run on Windows, because it's sort of made redundant due to the ability to actually run the real installer.
Can't say that I'd enjoy putting up a second full MSYS build environment just to be able to make builds with it either. Though if I can find some pre-built binary libs then maybe I'd be okay with it.

Either way, someone would need to actually sit down and make it work first.

User avatar
psi29a
Posts: 4077
Joined: 29 Sep 2011, 10:13
Github profile: https://github.com/psi29a/
Contact:

Re: Security vulnerability in Unshield

Post by psi29a » 28 Dec 2016, 22:59

Fixed upstream and now available in Debian.

corristo
Posts: 485
Joined: 12 Aug 2011, 08:29

Re: Security vulnerability in Unshield

Post by corristo » 14 Jan 2017, 14:04

macOS dependencies repository has been updated: https://github.com/OpenMW/openmw-deps-m ... 8db71e6970

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest