Bug 1202423 (CVE-2022-35978)

Summary: VUL-0: CVE-2022-35978: minetest: Mod scripts can escape sandbox in single player
Product: [openSUSE] openSUSE Distribution Reporter: Hu <cathy.hu>
Component: SecurityAssignee: Dmitriy Perlow <dap.darkness>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: christophe, jsegitz, opensuse, rpm, simon.vogl
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/339900/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Hu 2022-08-16 08:46:40 UTC
CVE-2022-35978

Minetest is a free open-source voxel game engine with easy modding and game
creation. In **single player**, a mod can set a global setting that controls the
Lua script loaded to display the main menu. The script is then loaded as soon as
the game session is exited. The Lua environment the menu runs in is not
sandboxed and can directly interfere with the user's system. There are currently
no known workarounds.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35978
https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13
https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc
https://dev.minetest.net/Changelog#5.5.0_.E2.86.92_5.6.0
Comment 1 Hu 2022-08-16 08:48:01 UTC
Affected:
- openSUSE:Backports:SLE-15-SP3/minetest  5.2.0
- openSUSE:Backports:SLE-15-SP4/minetest  5.4.1
- openSUSE:Factory/minetest               5.5.1
Comment 2 Simon Vogl 2022-08-16 14:20:25 UTC
Unfortunately I'm currently on vacation and can't fix the issue right now - once I'm back in about 8 days I'll try to update Minetest to 5.6.0 in TW ASAP. I have zero experience when it comes to packaging for Leap so the patch backport might take a lot longer / I might not be able to do that at all.

For now I'd advise all users to switch to the Flatpak version of minetest until the issue is resolved.
Comment 3 OBSbugzilla Bot 2022-08-22 16:40:08 UTC
This is an autogenerated message for OBS integration:
This bug (1202423) was mentioned in
https://build.opensuse.org/request/show/998676 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / minetest
Comment 4 Swamp Workflow Management 2023-01-03 14:20:48 UTC
openSUSE-SU-2023:0001-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1181400,1193141,1202423
CVE References: CVE-2022-35978
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    minetest-5.6.0-bp154.2.3.5
openSUSE Backports SLE-15-SP3 (src):    minetest-5.6.0-bp153.2.3.1