Debian Bug report logs - #1004223
minetest-server: ItemStack meta injection vulnerability in Minetest (CVE-2022-24300)

version graph

Package: minetest-server; Maintainer for minetest-server is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>; Source for minetest-server is src:luanti (PTS, buildd, popcon).

Reported by: Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>

Date: Sun, 23 Jan 2022 02:51:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version minetest/5.3.0+repack-2.1

Fixed in versions minetest/5.4.1+repack-1, minetest/5.3.0+repack-2.1+deb11u1, minetest/0.4.17.1+repack-1+deb10u1

Done: Markus Koschany <apo@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, nils+debian-reportbug@dieweltistgarnichtso.net, team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#1004223; Package minetest-server. (Sun, 23 Jan 2022 02:51:04 GMT) (full text, mbox, link).


Acknowledgement sent to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
New Bug report received and forwarded. Copy sent to nils+debian-reportbug@dieweltistgarnichtso.net, team@security.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Sun, 23 Jan 2022 02:51:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: minetest-server: ItemStack meta injection vulnerability in Minetest 5.3
Date: Sun, 23 Jan 2022 03:46:24 +0100
Package: minetest-server
Version: 5.3.0+repack-2.1
Severity: grave
Tags: patch security
Justification: user security hole
X-Debbugs-Cc: nils+debian-reportbug@dieweltistgarnichtso.net, Debian Security Team <team@security.debian.org>

Dear Maintainer,


Minetest 5.3 contains a serious security issue by default.
The ItemStack meta is not sanitized properly by the server.

Is is therefore possible for clients to inject ItemStack meta.
It might be possible to backdoor the server by injecting Lua.

Computers running Minetest 5.3 are vulnerable to this exploit.
The following patch, part of Minetest 5.4, fixes the problem:

https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae


Greetings,
Nils Moskopp

-- System Information:
Debian Release: 11.2
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.19.0-6-686 (SMP w/2 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages minetest-server depends on:
ii  adduser              3.118
ii  init-system-helpers  1.60
ii  libc6                2.31-13+deb11u2
ii  libcurl3-gnutls      7.74.0-1.3+deb11u1
ii  libgcc-s1            10.2.1-6
ii  libgmp10             2:6.2.1+dfsg-1+deb11u1
ii  libjsoncpp24         1.9.4-4
ii  libleveldb1d         1.22-3
ii  libluajit-5.1-2      2.1.0~beta3+dfsg-5.3
ii  libncursesw6         6.2+20201114-2
ii  libpq5               13.5-0+deb11u1
ii  libspatialindex6     1.9.3-2
ii  libsqlite3-0         3.34.1-3
ii  libstdc++6           10.2.1-6
ii  libtinfo6            6.2+20201114-2
ii  lsb-base             11.1.0
ii  minetest-data        5.3.0+repack-2.1
ii  zlib1g               1:1.2.11.dfsg-2

minetest-server recommends no packages.

minetest-server suggests no packages.

-- no debconf information



Marked as fixed in versions minetest/5.4.1+repack-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 24 Jan 2022 06:12:05 GMT) (full text, mbox, link).


Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 24 Jan 2022 06:12:05 GMT) (full text, mbox, link).


Notification sent to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
Bug acknowledged by developer. (Mon, 24 Jan 2022 06:12:06 GMT) (full text, mbox, link).


Message sent on to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
Bug#1004223. (Mon, 24 Jan 2022 06:12:07 GMT) (full text, mbox, link).


Message #14 received at 1004223-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 1004223-submitter@bugs.debian.org
Subject: closing 1004223
Date: Mon, 24 Jan 2022 07:09:36 +0100
close 1004223 5.4.1+repack-1
thanks




Information stored :
Bug#1004223; Package minetest-server. (Mon, 24 Jan 2022 10:51:04 GMT) (full text, mbox, link).


Acknowledgement sent to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
Extra info received and filed, but not forwarded. (Mon, 24 Jan 2022 10:51:04 GMT) (full text, mbox, link).


Message #19 received at 1004223-quiet@bugs.debian.org (full text, mbox, reply):

From: Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>
To: Salvatore Bonaccorso <carnil@debian.org>, 1004223-quiet@bugs.debian.org, control@bugs.debian.org
Cc: 1004223-submitter@bugs.debian.org
Subject: Re: Bug#1004223: closing 1004223
Date: Mon, 24 Jan 2022 11:36:11 +0100
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso <carnil@debian.org> writes:

> close 1004223 5.4.1+repack-1
> thanks

Yes, the problem is fixed in later Minetest versions – as I said …

However, the current version in Debian stable (bullseye) is 5.3.0.

This means that the patch needs to be backported to protect users!
[signature.asc (application/pgp-signature, inline)]

Message sent on to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
Bug#1004223. (Mon, 24 Jan 2022 10:51:06 GMT) (full text, mbox, link).


Information stored :
Bug#1004223; Package minetest-server. (Fri, 28 Jan 2022 05:15:06 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and filed, but not forwarded. (Fri, 28 Jan 2022 05:15:06 GMT) (full text, mbox, link).


Message #27 received at 1004223-quiet@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>, 1004223-quiet@bugs.debian.org
Subject: Re: Bug#1004223: closing 1004223
Date: Fri, 28 Jan 2022 06:12:01 +0100
Hi,

On Mon, Jan 24, 2022 at 11:36:11AM +0100, Nils Dagsson Moskopp wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > close 1004223 5.4.1+repack-1
> > thanks
> 
> Yes, the problem is fixed in later Minetest versions – as I said …
> 
> However, the current version in Debian stable (bullseye) is 5.3.0.
> 
> This means that the patch needs to be backported to protect users!

Yes. But we can have closes of a bug in multiple versions, and this
way we properly track the metadata on the bug, indicating it is fixed
in 5.4.1+repack-1. Another upload fixing it in bullseye and older
still can close the bug with that apprropriate version. 

minetest is on the radar of the security-team and it's planned to have
an update:

https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3db1fe1ab2c140906022a463cf18046ebbdd8aca#922f24d99bcbb71f467600d4a765aa2ac5ee31f5_31_31

Regards,
Salvatore



Changed Bug title to 'minetest-server: ItemStack meta injection vulnerability in Minetest (CVE-2022-24300)' from 'minetest-server: ItemStack meta injection vulnerability in Minetest 5.3'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 02 Feb 2022 06:27:04 GMT) (full text, mbox, link).


Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 02 Feb 2022 06:27:06 GMT) (full text, mbox, link).


Reply sent to Markus Koschany <apo@debian.org>:
You have taken responsibility. (Fri, 18 Feb 2022 19:21:03 GMT) (full text, mbox, link).


Notification sent to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
Bug acknowledged by developer. (Fri, 18 Feb 2022 19:21:04 GMT) (full text, mbox, link).


Message #36 received at 1004223-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1004223-close@bugs.debian.org
Subject: Bug#1004223: fixed in minetest 5.3.0+repack-2.1+deb11u1
Date: Fri, 18 Feb 2022 19:17:15 +0000
Source: minetest
Source-Version: 5.3.0+repack-2.1+deb11u1
Done: Markus Koschany <apo@debian.org>

We believe that the bug you reported is fixed in the latest version of
minetest, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004223@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated minetest package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 13 Feb 2022 20:46:14 CET
Source: minetest
Architecture: source
Version: 5.3.0+repack-2.1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 36bf7695ccb1b032f7b2b74e7de2d789f75e7365 2782 minetest_5.3.0+repack-2.1+deb11u1.dsc
 10af7fa33c30a445c71d12b6df49be6898b11106 12544280 minetest_5.3.0+repack.orig.tar.gz
 5cb453b61f81e56e8e7cb90251f6fd0e9a044c2c 39256 minetest_5.3.0+repack-2.1+deb11u1.debian.tar.xz
 c11e868f954da43ce639b1764d9fa835f61238f5 12918 minetest_5.3.0+repack-2.1+deb11u1_amd64.buildinfo
Checksums-Sha256:
 4e717039762cbe7469ed5b32df46905b6cbd501b9eb30c8de8cc398ec9c61b64 2782 minetest_5.3.0+repack-2.1+deb11u1.dsc
 67aa51e8ff881d25325af28c367df75214c3081cbafbd7cf66dc2dadf0ee79bf 12544280 minetest_5.3.0+repack.orig.tar.gz
 f7b0b00ad7c0b66892e2d1cce39a144f2d3d0d099e5a396673c2b439baffdbf1 39256 minetest_5.3.0+repack-2.1+deb11u1.debian.tar.xz
 1f15fa6fd43d15439504d27d7f1bae317a34317fefb9631db0e901d9a4a66307 12918 minetest_5.3.0+repack-2.1+deb11u1_amd64.buildinfo
Closes: 1004223
Changes:
 minetest (5.3.0+repack-2.1+deb11u1) bullseye-security; urgency=high
 .
   * Fix CVE-2022-24300 and CVE-2022-24301:
     Several vulnerabilities have been discovered in Minetest. These issues may
     allow attackers to manipulate game mods by adding or modifying meta fields
     of the same item stack and grant them an unfair advantage over other
     players. These flaws could also be abused for a denial of service attack.
     (Closes: #1004223)
Files:
 c440f526f9c79abbebdc6cc40f1e4706 2782 games optional minetest_5.3.0+repack-2.1+deb11u1.dsc
 2f0c123aa1b06719099b356a92b3b99a 12544280 games optional minetest_5.3.0+repack.orig.tar.gz
 4d03ac57b911671902eb0cc673699b78 39256 games optional minetest_5.3.0+repack-2.1+deb11u1.debian.tar.xz
 2f2138d1d1a080715cac1e298ff4d064 12918 games optional minetest_5.3.0+repack-2.1+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmIJYDtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HklaQP/3R95711fK57aMHUHodrzoYTHTAIqGaOcREl
4N2vll+oo1zDD44YytkR6w5oOKQlcnalnez3NX8tSU+mo2/ehyf/wCyltrFGBSzJ
kOuWp+ynCNcHvrjgcHYz/FeE29ze/zBsoYgtvG9+VKdp2WohYm8a/1IBBJr5m871
WDfePCZiiY9Dmo5kKhec2b27SaAETOKjL70qFt6Zv61MMFKjXP7CdH9cOtZAeobV
zw6sm71FiQYyPEMnV10hy8zZXHZk1bh7FAIJa3RQr1boSQ0CdxRLqIWx/w4iSa7H
i85CPkqGrE3sn85Yc/k48hNS2Cd5+mD+HGnV766AKlY+fa66oilT6fu3u3+hiJBQ
IjcJxW2WYK2pYTtMQdN1pQTODUGEy2XdlqLPw/XkKpQYRITFJ5qqUPoODksGxlF5
4jdxhpTMbpfWIfNJ54bgd5ej/EEFPTbcojIbK9MkXn2yJi/t0PV/mamm3XepUbZF
hwvALnaQM3DL/3RO4097/doaYhEoS8qVtambqcBkiR8YOxdNSaARZY3vOt9RJEd1
emxKKxVd3dszhOwjb6ONHyg396lDcJEuqORkAG8yoCqOPvV20g3P3hHXXALW7q+F
Vvh4dybQLZmz9DFLHq0HOTCrKlmKR5bONCNR5oK5YVEFXopwDniM4ZhKrd9hFZ9K
m1YquZhS
=aUuA
-----END PGP SIGNATURE-----




Reply sent to Markus Koschany <apo@debian.org>:
You have taken responsibility. (Fri, 18 Feb 2022 19:21:05 GMT) (full text, mbox, link).


Notification sent to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
Bug acknowledged by developer. (Fri, 18 Feb 2022 19:21:06 GMT) (full text, mbox, link).


Message #41 received at 1004223-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1004223-close@bugs.debian.org
Subject: Bug#1004223: fixed in minetest 0.4.17.1+repack-1+deb10u1
Date: Fri, 18 Feb 2022 19:17:46 +0000
Source: minetest
Source-Version: 0.4.17.1+repack-1+deb10u1
Done: Markus Koschany <apo@debian.org>

We believe that the bug you reported is fixed in the latest version of
minetest, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004223@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated minetest package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 13 Feb 2022 21:46:40 CET
Source: minetest
Architecture: source
Version: 0.4.17.1+repack-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 337b04d0d14f3626a9b4e1b4c6def3a53241881e 2746 minetest_0.4.17.1+repack-1+deb10u1.dsc
 946d26b0ef0e97759eec4516dbf29349f3e50265 8930830 minetest_0.4.17.1+repack.orig.tar.gz
 bf4b4f6a81a70c37425c076c072c7be5fa0b0d7e 38496 minetest_0.4.17.1+repack-1+deb10u1.debian.tar.xz
 edccf5da8de3d1eafd1a44d7574dcfa38b57ff93 13214 minetest_0.4.17.1+repack-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
 a99309b7e51f91499de981b2f2bb33e4aabb81d64196babdc1275454c4c7bcee 2746 minetest_0.4.17.1+repack-1+deb10u1.dsc
 d77c483e983b764056a1edc507933dfc9aa2c95b24daba14b45ff3ad5153d6c6 8930830 minetest_0.4.17.1+repack.orig.tar.gz
 eb0ce463e94cbe2e97ab284d5c53cb34003061452b873e35115a26f666df0b41 38496 minetest_0.4.17.1+repack-1+deb10u1.debian.tar.xz
 a30995ba016acf46f495817eb310e0281b2129bffa9122cecabcb67383dcbfeb 13214 minetest_0.4.17.1+repack-1+deb10u1_amd64.buildinfo
Closes: 1004223
Changes:
 minetest (0.4.17.1+repack-1+deb10u1) buster-security; urgency=high
 .
   * Fix CVE-2022-24300 and CVE-2022-24301:
     Several vulnerabilities have been discovered in Minetest. These issues may
     allow attackers to manipulate game mods and grant them an unfair advantage
     over other players. These flaws could also be abused for a denial of
     service attack or if user input is passed directly to minetest.deserialize
     without serializing it first, then a malicious user could run Lua code in
     the server environment. (Closes: #1004223)
Files:
 324f5712864c65077b7fd1304e05eef2 2746 games optional minetest_0.4.17.1+repack-1+deb10u1.dsc
 7681cd511b845020cdd584214c0377e6 8930830 games optional minetest_0.4.17.1+repack.orig.tar.gz
 b26b932e3cf584fc6ad14b5e25fd15fb 38496 games optional minetest_0.4.17.1+repack-1+deb10u1.debian.tar.xz
 4478bd2c7c1773ed2207128c3b222e9a 13214 games optional minetest_0.4.17.1+repack-1+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmIJbv9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkJ+YQAKnCDNw9Lpl4LFVtRFHSMLoA5JupcHaLSWDi
RnygE5R1OBwIxZ3Sta7qYdgs0P/BLwa3l0aC3wIFUinCwi7Q2iEaxzTTVioLgcR+
Z/P5UmhCdDqTAzh+2vKmJoRBX7HTPRCyLh7EoDowhZjLi9MrF5TQBJ/p4lDxioaX
s6WZ1vX4+d1IdtCaQq6KBZuJ5UNsxiIIwffShC+nZO/jAAdSvCsaymQX29YJVN/j
VKJ9wvjXKMgO9dIAR76HQTO0o/mcocd1pO2Gwpl9UfEW99YCxplBYElnpyX8IY7U
icRg6/OzHCAlGvPyLZzsuFz9Ou7aTsaHi0tw+SQwP3LMtM1ugvdK5k0xrz7spQUF
BW3aU12cWDxdVQAGQ1+W1ZuA+s0IgcZvK1xrc+HncGPIYUbUg3u5Dfyv05WdEjvo
zGhMszb4JBNBnA1w6PA237ZqgviQB0Yb/Euuh9TyeeoSldk0v4+PHHsuXQnHjIt1
1rrOu3FlgJ4jtr+bX22FzBsTlprtJyde1Nk5BFsO07ur+Hebbp8smIwb7CZRuGV7
sJdGjvCXlDU+eLbUjgo5ah2TX2uxwSBtuiUQH6Svc3Vgi2Pnfeynt/DB1OaEg4et
WciMrf+oDpmWFcMGBrqzBtppuwHZ+3WOjRmNNzzFs8msjltNUbpnj1Ga3Nw2yM0B
97eOzI9h
=Zu1+
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Mar 2022 07:25:36 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:29:50 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.