no stable release made to mitigate security vulnerability

[vn971]

Hi! Is it possible to please create a new release from the current master branch to mitigate the security vulnerability, or maybe branch out from the last stable release and make a bugfix update which OS distributions could pick?

Otherwise, I'm afraid most distros will not really switch to nightlies all of a sudden, and will continue shipping the insecure version (or remove it altogether).

[vn971]

By security vulnerability I mean this commit: 8963506897e3270a75b062f28486934bcb79b1e3

And this official disclosure (blog post): a07644558f1bf1131bbc87864bab3da478ca1f70

[wintertime]

Hi, we discussed releasing 0.12.0 "soon" on the mailing list already, but we want to make sure it is in a decent shape before. As long as you only play local singleplayer on your computer with your own savegames the vulnerability most likely wont affect you: http://www.freecol.org/news/freecol-xxe-vulnerability-fixed.html If you want to be 100% safe, please, use the Nightly Release.

[vn971]

@wintertime hi, thanks for the response. Is it a matter of days/hours, or weeks? In the latter case, a bugfix release would make sense?

// I tried to join IRC, but there was nobody really there. Didn't check the mail list...

[wintertime]

Sorry, I can't promise a date. I kind of wish we had a real release out to get distributions to update, too. The problem with a bugfix release is, that the patch does not apply easily on 0.11.6, because too many changes happened inbetween.

[vn971]

@wintertime is it really that hard to backport? Guessing by the commit https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3, it could be backported by simply replacing all usages of XMLInputFactory.newInstance();

Not a git cherry-pick for sure, but not really hard either (I can try providing a PR).

[wintertime]

Mike said on the mailing list something like that it might get useful if someone did a backport, but up till now noone tried.

[vn971]

this is a tricky situation though. You might go the ugly way and just push a 0.12 release advertising it as the proper bugfix. This might make slow distros like Debian or Ubuntu still upgrade freecol on them. On the other hand, I saw occasions where Debian or Ubuntu would simply not jump for a new version at all anyway, and the only way to land a bugfix on them is to actually create a bugfix-only release for them.

[vn971]

sigh lemme check that mailing list... Can I access the past history via a web UI? I found here: http://www.freecol.org/contact.html that the address is "freecol developers" on the sourceforge list (intentially not giving a direct quote to avoid spam). Just this address won't give me access to old discussion history, however...

[vn971]

If the ML-s past history is not accessible, I can maybe just still write that patch for 0.11.6 and just share it. Share here on github, or sourceforge, if I figure out its PR mechanism (I think I managed to understand it a few years ago).

[wintertime]

https://sourceforge.net/p/freecol/mailman/freecol-developers/ Some messages containing HTML tags don't look perfectly, but everything is there.

[vn971]

@wintertime thanks! Maybe this link can be added to the "contact.html" page, though that's another bug report / feature request of course... I'll see if it's easy to backport the bugfix.

[vn971]

I've made a Pull Request with the security fix yesterday.

I couldn't dig through SourceForge-s mailing list conveniently to make a reply on same thread, but if anybody from the dev team can look at the PR, it'd be nice..

[markusschaber]

Any news on this? It's 1.5 years...

[wintertime]

I wish 0.12.0 was out, too. The newest info I know is from the mailing list (linked above) on 2021-05-30, that there is still the performance bug and broken trade route panel holding up the release.

[markusschaber]

Ok. Good luck, and thanks to the devs for their work!

[vn971]

@wintertime if you have access to the mailing list, can't you ask to get the PR that I've written merged? I don't see any reasons on why not to make a "patch" (semver) release to just address a major security vulnerability.

[mpope042]

I don't see any reasons on why not to make a "patch" (semver) release to just address a major security vulnerability.

Its not "major": hard to exploit, requires user action, no escalation path (user privilege only), still no evidence of use. There are way more severe security bugs out there in much more widely used software. That said if @wintertime wants to kick the release process feel free, I am buried until ~October.

[wintertime]

Hi @mpope042 ,

I could try to make some time, but there'd be a few problems with this:

• I do not have the access level on sourceforge that would allow me to make a release and am unfamiliar with the release process there.
• The CI on github is still broken and there is none on SF? Some build targets may get difficult to get working locally.
• If it would be 0.11.7, it would need reviews for the backport to be sure it is a complete fix, but I'm not familiar with that code part.
• If releasing the master version as 0.12.0, I'd feel like having to do at least some QA, as I did not play recently and would not like to release something without being reasonably sure there is no major blocker.

[mpope042]

On 29/08/2021, wintertime @.***> wrote:

I could try to make some time, but there'd be a few problems with this:

• I do not have the access level on sourceforge that would allow me to make a release and am unfamiliar with the release process there.

Quite so. The release process is annoying, I did not intend anyone having to learn it unnecessarily. Hang in there folks, October is coming, and I will be back to FreeCol work.

• The CI on github is still broken...

That was the bit I was hoping you could get working, as I know nothing about it. I thought it better to just get the nightlys running again first.

Cheers, Mike Pope

[mpope042]

If anyone is still concerned by this minor issue, nightlys are good again and I can not generate any enthusiasm for a 0.11.7 given the number of bugs fixed since then.

[vn971]

I'm not actually playing FreeCol lately, but just FYI, many software distributions do not actually ship nightlies due to the convention of them by default being considered unstable. For example, 81 operating system currently distribute freecol, and none of them use the nightly version: https://repology.org/project/freecol/versions The closest to nightly is the AUR, which uses git, so you don't actually get releases, but rather, you can build from source yourself once in a while.

With this information, FreeCol could decide to ship what is currently called "nightlies" as actual releases, if those releases are actually stable enough to fit the standard definition of this term.

But again that's not for me to decide, just providing info