Arch Linux Security Advisory ASA-201807-15 ========================================== Severity: High Date : 2018-07-25 CVE-ID : CVE-2018-1999023 Package : wesnoth Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-741 Summary ======= The package wesnoth before version 1.14.4-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.14.4-1. # pacman -Syu "wesnoth>=1.14.4-1" The problem has been fixed upstream in version 1.14.4. Workaround ========== None. Description =========== "The Battle for Wesnoth", which allows arbitrary code execution by exploiting a vulnerability within the Lua scripting language engine which allows escaping existing sandbox measures in place and executing untrusted bytecode Impact ====== A remote attacker is able to execute arbitrary code when a user downloads game content in a multiplayer game or via a player content distribution server. References ========== https://marc.info/?l=oss-security&m=153227302330837&w=2 http://www.openwall.com/lists/oss-security/2018/07/20/1 https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fe... https://security.archlinux.org/CVE-2018-1999023