Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file.
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Link | Tags |
---|---|
https://dpmendenhall.blogspot.com/2020/03/dungeon-crawl-stone-soup.html | third party advisory patch |
https://github.com/crawl/crawl/commit/768f60da87a3fa0b5561da5ade9309577c176d04 | third party advisory patch |
https://github.com/crawl/crawl/commit/fc522ff6eb1bbb85e3de60c60a45762571e48c28 | third party advisory patch |
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00037.html | vendor advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNXK7QE7EA7XSDDNOWX2A6MJNWOIYCTC/ | vendor advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QLPN635S7J3MUXLIHYK6MDAHEIASFYP/ | vendor advisory |