Debian Bug report logs - #660834
tremulous: CVE-2006-3325 ("q3cfilevar-B") configuration overwriting

version graph

Package: tremulous; Maintainer for tremulous is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>;

Reported by: Simon McVittie <smcv@debian.org>

Date: Wed, 22 Feb 2012 08:59:13 UTC

Severity: grave

Tags: security

Found in version tremulous/1.1.0-4.1

Fixed in versions 1.1.0-7, tremulous/1.1.0-7~squeeze1

Done: Simon McVittie <smcv@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#660834; Package tremulous. (Wed, 22 Feb 2012 08:59:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Wed, 22 Feb 2012 08:59:21 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tremulous: CVE-2006-3325 ("q3cfilevar-B") configuration overwriting
Date: Wed, 22 Feb 2012 08:58:01 +0000
Package: tremulous
Version: 1.1.0-4.1
Severity: grave
Tags: security
Justification: user security hole

CVE-2006-3325 is a vulnerability in the Quake 3 engine. Due to missing checks,
a malicious server can overwrite configuration variables ("cvars") on clients
connecting to it, even those that are normally write-protected. Some cvars,
such as fs_homepath and cl_allowdownload, are security-sensitive; in
particular, this vulnerability can be combined with CVE-2006-3324 to overwrite
arbitrary files with the user's privileges.

Tremulous is based on a fork of that engine, and version 1.1.0 as shipped
in Debian has the same vulnerability.

The de facto upstream for the Quake 3 engine is ioquake3, in which this
vulnerability was fixed in r811. Debian's ioquake3 package is not vulnerable.




Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Wed, 22 Feb 2012 11:06:07 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Wed, 22 Feb 2012 11:06:22 GMT) Full text and rfc822 format available.

Message #10 received at 660834-done@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 660831-done@bugs.debian.org, 660827-done@bugs.debian.org, 660830-done@bugs.debian.org, 660832-done@bugs.debian.org, 660834-done@bugs.debian.org, 660836-done@bugs.debian.org
Subject: Re: Bug#660827: tremulous: CVE-2006-2236 ("the remapShader exploit") can lead to arbitrary code execution
Date: Wed, 22 Feb 2012 10:31:07 +0000
Version: 1.1.0-7

tremulous (1.1.0-6) unstable; urgency=medium

  * Backport patches from ioquake3 to fix long-standing security bugs:
    - CVE-2006-2082: arbitrary file download from server by a malicious
client
      (Closes: #660831)
    - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
      COM_StripExtension, exploitable in clients of a malicious server
      (Closes: #660827)
    - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
      malicious server (Closes: #660830)
    - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
      server (Closes: #660832)
    - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
      code execution) in clients of a malicious server (Closes: #660834)
    - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
      code execution) in clients of a malicious server if auto-downloading
      is enabled (Closes: #660836)
  * As a precaution, disable auto-downloading
  * Backport ioquake3 r1141 to fix a potential buffer overflow in error
    handling (not known to be exploitable, but it can't hurt)
  * Add gcc attributes to all printf- and scanf-like functions, and
    fix non-literal format strings (again, none are known to be exploitable)

 -- Simon McVittie <smcv@debian.org>  Wed, 22 Feb 2012 09:07:37 +0000




Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Mon, 26 Mar 2012 18:36:15 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Mon, 26 Mar 2012 18:36:15 GMT) Full text and rfc822 format available.

Message #15 received at 660834-close@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 660834-close@bugs.debian.org
Subject: Bug#660834: fixed in tremulous 1.1.0-7~squeeze1
Date: Mon, 26 Mar 2012 18:33:04 +0000
Source: tremulous
Source-Version: 1.1.0-7~squeeze1

We believe that the bug you reported is fixed in the latest version of
tremulous, which is due to be installed in the Debian FTP archive:

tremulous-doc_1.1.0-7~squeeze1_all.deb
  to contrib/t/tremulous/tremulous-doc_1.1.0-7~squeeze1_all.deb
tremulous-server_1.1.0-7~squeeze1_i386.deb
  to contrib/t/tremulous/tremulous-server_1.1.0-7~squeeze1_i386.deb
tremulous_1.1.0-7~squeeze1.debian.tar.gz
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.debian.tar.gz
tremulous_1.1.0-7~squeeze1.dsc
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.dsc
tremulous_1.1.0-7~squeeze1_i386.deb
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 660834@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated tremulous package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 25 Mar 2012 13:53:09 +0100
Source: tremulous
Binary: tremulous tremulous-server tremulous-doc
Architecture: source i386 all
Version: 1.1.0-7~squeeze1
Distribution: stable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 tremulous  - Aliens vs Humans, team based FPS game with elements of an RTS
 tremulous-doc - Tremulous documentation
 tremulous-server - Tremulous server
Closes: 660827 660830 660831 660832 660834 660836
Changes: 
 tremulous (1.1.0-7~squeeze1) stable; urgency=low
 .
   * Stable update (#663104), incorporating security fixes from unstable
   * Fix an incorrect bug number in revision -6
 .
 tremulous (1.1.0-7) unstable; urgency=medium
 .
   * Add a lintian override for embedded-library libjpeg (#589407) to avoid
     auto-rejection. It is a valid bug, but is not a regression, and fixing
     several long-standing security vulnerabilities seems more important
     than getting rid of an embedded library that is not known to be
     exploitable.
 .
 tremulous (1.1.0-6) unstable; urgency=medium
 .
   * Backport patches from ioquake3 to fix long-standing security bugs:
     - CVE-2006-2082: arbitrary file download from server by a malicious client
       (Closes: #660831)
     - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
       COM_StripExtension, exploitable in clients of a malicious server
       (Closes: #660827)
     - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
       malicious server (Closes: #660830)
     - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
       server (Closes: #660832)
     - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
       code execution) in clients of a malicious server (Closes: #660834)
     - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
       code execution) in clients of a malicious server if auto-downloading
       is enabled (Closes: #660836)
   * As a precaution, disable auto-downloading
   * Backport ioquake3 r1141 to fix a potential buffer overflow in error
     handling (not known to be exploitable, but it can't hurt)
   * Add gcc attributes to all printf- and scanf-like functions, and
     fix non-literal format strings (again, none are known to be exploitable)
Checksums-Sha1: 
 093c757c268baf294ca21bf5c3134f1b27c63ccd 1886 tremulous_1.1.0-7~squeeze1.dsc
 824556728fc2c6d25e1236aa73cefd20cf798c80 39677 tremulous_1.1.0-7~squeeze1.debian.tar.gz
 b660cef21e1d446fa3319883c51d3d6b5ef51106 674826 tremulous_1.1.0-7~squeeze1_i386.deb
 06a0f1fd077587c19793cb35fabf887376087e26 351748 tremulous-server_1.1.0-7~squeeze1_i386.deb
 b7e0b2fe05cb5c3cbd327d69e8f9397ba51440c4 645994 tremulous-doc_1.1.0-7~squeeze1_all.deb
Checksums-Sha256: 
 1ee9da033efeb695a4466f6d21750176ac0114ef0f58731d93fe830104e477ed 1886 tremulous_1.1.0-7~squeeze1.dsc
 d6b0e3e4fe5362e82970d0bc7122485d9ceaf501eb1d842c212bc3811e61c61f 39677 tremulous_1.1.0-7~squeeze1.debian.tar.gz
 c44056831bce32a472cac71c256642e3b2ea6d98731ef0b374b7f3491e9b93fd 674826 tremulous_1.1.0-7~squeeze1_i386.deb
 29b9b41418ea60ff11c99758e42a157c7776165f435eae36f9d0d2b240466d8f 351748 tremulous-server_1.1.0-7~squeeze1_i386.deb
 acb7a04f9648594d97c3a05eb0d71d847425d13b5b9e239e41977fa62313b419 645994 tremulous-doc_1.1.0-7~squeeze1_all.deb
Files: 
 1aa63c3fa97393579591711e3c9768c9 1886 contrib/games optional tremulous_1.1.0-7~squeeze1.dsc
 119bddb6b3b70513798a8c991d22668e 39677 contrib/games optional tremulous_1.1.0-7~squeeze1.debian.tar.gz
 b6fa83d46a72a0375642ef689f24239b 674826 contrib/games optional tremulous_1.1.0-7~squeeze1_i386.deb
 6909f73b47b0336243e22b5767e95a48 351748 contrib/games optional tremulous-server_1.1.0-7~squeeze1_i386.deb
 112bab3c2a43ee9218e1a66d65539b12 645994 contrib/doc optional tremulous-doc_1.1.0-7~squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBT29a8k3o/ypjx8yQAQj2ZA/+Mxdi5FUwSyH3uZZM8pwpk2rZdNjmb2tg
ZNhCjH35iscLxb5vWmBXiO/GXI1THcQQCfbh7Ciwznf7azD+vItwxMgz8X8GAcco
M39v4H+uewFkNs+yFFqBJgVGZ5F85ZyNSiCXyZa0kvA9tvXt8Mmte/D39MEiG+JD
JyyDJ6zFcfNNIc9x48pR0Mp/GWt70dxFzv5v4fwRebYcIjczGsUMIk74O+spEx0v
fAcboohekqgJuNToKYjiReFbSKbhzNi1oEC6cXRlxybZLSqdGKUzluttyRsosYqM
KgkbdiWGYMkbd7NObjGuD7HnYA1e8APTAT3lMO4FO1ETjtm3AFbkq7KEkx73cSUs
xCzon+nNy1+M2SM0di59ACTkV/Y9vWD7KJc1kv94Nj9MBzpAS4qwBaK/qGb+vhNw
sXoDO/XEz80Z9T3KyX9r0bineg0LdoW0+JFSqmy+tWD03lybcrNusgJrC5yrQ1S+
GX/27mOUMbWluN/qU0Xk21wgGTKTjC4L9dB91rd5egAtiAlJ0NECWxXkQ5b5bgM2
rgvWD4GXZ0QXCyOWMmJF4vSNvOu691CLDBw9NJWQesqRQuZ8FsbtCBxuDzJHzAe5
kEGGmeIHg/gHJETpO2UyMrQZE9qXWwAwePRl7aKVskETddJT6naPqWj3DhsTAtRS
MUbCK2CKgVE=
=9D44
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 May 2012 07:39:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:45:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.