Short description: Out-of-bounds read in Squirrel interpreter allows sandbox escape and remote code execution
Official CVE-2021-41556 entry at cve.mitre.org.
Related bug reports:
Related commits:
Patches: (sometimes more fuzz is needed to apply them)
A vulnerability in the Squirrel engine meant that a suitably crafted script could be used to escape the default “sandbox” and execute arbitrary code.
This has been published separately as CVE-2021-41556, to which OpenTTD is vulnerable as well as it uses a modified copy of the Squirrel engine for running AIs and Gamescripts.
Due to further restrictions in how OpenTTD uses Squirrel - notably that rawset was never implemented and the default memory limits are smaller than what is required - means that the vulnerability is much harder to exploit.
This issue was first fixed in nightlies prior to 14.0, backported and first released in 13.2. The fix is a direct backport from the upstream Squirrel repository.