Bug 1202423 - (CVE-2022-35978) VUL-0: CVE-2022-35978: minetest: Mod scripts can escape sandbox in single player
(CVE-2022-35978)
VUL-0: CVE-2022-35978: minetest: Mod scripts can escape sandbox in single player
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Dmitriy Perlow
Security Team bot
https://smash.suse.de/issue/339900/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-08-16 08:46 UTC by Hu
Modified: 2022-08-22 16:40 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-08-16 08:46:40 UTC
CVE-2022-35978

Minetest is a free open-source voxel game engine with easy modding and game
creation. In **single player**, a mod can set a global setting that controls the
Lua script loaded to display the main menu. The script is then loaded as soon as
the game session is exited. The Lua environment the menu runs in is not
sandboxed and can directly interfere with the user's system. There are currently
no known workarounds.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35978
https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13
https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc
https://dev.minetest.net/Changelog#5.5.0_.E2.86.92_5.6.0
Comment 1 Hu 2022-08-16 08:48:01 UTC
Affected:
- openSUSE:Backports:SLE-15-SP3/minetest  5.2.0
- openSUSE:Backports:SLE-15-SP4/minetest  5.4.1
- openSUSE:Factory/minetest               5.5.1
Comment 2 Simon Vogl 2022-08-16 14:20:25 UTC
Unfortunately I'm currently on vacation and can't fix the issue right now - once I'm back in about 8 days I'll try to update Minetest to 5.6.0 in TW ASAP. I have zero experience when it comes to packaging for Leap so the patch backport might take a lot longer / I might not be able to do that at all.

For now I'd advise all users to switch to the Flatpak version of minetest until the issue is resolved.
Comment 3 OBSbugzilla Bot 2022-08-22 16:40:08 UTC
This is an autogenerated message for OBS integration:
This bug (1202423) was mentioned in
https://build.opensuse.org/request/show/998676 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / minetest