Hello all,
openmw uses unshield to extract the original data files, recently a security vulnerability has been found in unshield (CVE-2015-1386). There isn't any sanitation of '../' from filenames, so it is susceptible to path traversal attacks. You can imagine someone creating fake (or pirated) game content, or compromising steam or some other distribution site, and replacing the real content with malicious code that exploits this vulnerability by placing malicious code anywhere on your file system.
Good news is the fix seems easy, I just won't have time to write and test a patch. The author points out the part of relevant code, and I proposed a strategy to fix it here:
https://github.com/twogood/unshield/issues/42
and it is issue number 42, so you know this is important!
-maq
Security vulnerability in Unshield
-
- Posts: 180
- Joined: 14 Jan 2013, 03:57
Security vulnerability in Unshield
Last edited by Jyby on 28 Dec 2016, 22:23, edited 1 time in total.
Reason: Renamed inaccurate topic subject
Reason: Renamed inaccurate topic subject
Re: Hackers wanted to (indirectly) help out openmw security
Ace, does this seem like something we should take action on?
- psi29a
- Posts: 5357
- Joined: 29 Sep 2011, 10:13
- Location: Belgium
- Gitlab profile: https://gitlab.com/psi29a/
- Contact:
Re: Hackers wanted to (indirectly) help out openmw security
Well if unshield gets punted from Debian/Ubuntu, then we'll be without our openmw-wizard on those systems.
Re: Hackers wanted to (indirectly) help out openmw security
Oh shoot, I confused this for a Windows issue.
- psi29a
- Posts: 5357
- Joined: 29 Sep 2011, 10:13
- Location: Belgium
- Gitlab profile: https://gitlab.com/psi29a/
- Contact:
Re: Hackers wanted to (indirectly) help out openmw security
It's an every OS problem.
Re: Hackers wanted to (indirectly) help out openmw security
I think it's actually an every OS but Windows problem, don't think the current OpenMW builds can use unshield on Windows.
Not that you really need to.
Not that you really need to.
Re: Hackers wanted to (indirectly) help out openmw security
Ace, I'm in favor of allowing the use of unshield on Windows. I don't want ancient DirectX packages clogging up my system, etc. I think the openmw installer is faster and nicer, and being open source is something we can more confidently support.
Re: Hackers wanted to (indirectly) help out openmw security
Nobody's really bothered to get the unshield code to run on Windows, because it's sort of made redundant due to the ability to actually run the real installer.
Can't say that I'd enjoy putting up a second full MSYS build environment just to be able to make builds with it either. Though if I can find some pre-built binary libs then maybe I'd be okay with it.
Either way, someone would need to actually sit down and make it work first.
Can't say that I'd enjoy putting up a second full MSYS build environment just to be able to make builds with it either. Though if I can find some pre-built binary libs then maybe I'd be okay with it.
Either way, someone would need to actually sit down and make it work first.
- psi29a
- Posts: 5357
- Joined: 29 Sep 2011, 10:13
- Location: Belgium
- Gitlab profile: https://gitlab.com/psi29a/
- Contact:
Re: Security vulnerability in Unshield
Fixed upstream and now available in Debian.
Re: Security vulnerability in Unshield
macOS dependencies repository has been updated: https://github.com/OpenMW/openmw-deps-m ... 8db71e6970