Debian Bug report logs - #663104
pu: package tremulous/1.1.0-7~squeeze1 (contrib)

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Simon McVittie <smcv@debian.org>

Date: Thu, 8 Mar 2012 14:15:01 UTC

Severity: normal

Tags: confirmed, squeeze

Fixed in version 6.0.5

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#663104; Package release.debian.org. (Thu, 08 Mar 2012 14:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 08 Mar 2012 14:15:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package tremulous/1.1.0-7~squeeze1 (contrib)
Date: Thu, 8 Mar 2012 14:12:53 +0000
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Tremulous 1.1.0-7 (contrib) is believed to fix CVE-2006-2082, CVE-2006-2236,
CVE-2006-2875, CVE-2006-3324, CVE-2006-3325, CVE-2011-3012, CVE-2011-2764.
The Security Team have indicated that they do not issue DSAs for contrib
packages.

I propose to use a package functionally identical to 1.1.0-7 (differing
only in its changelog and target distribution) as the stable update;
I've avoided making any changes not targeted as a security update.

1.1.0-7~squeeze1 seems like a good version number to represent that,
or I could make it 1.1.0-5+squeeze1 if you prefer.

Changelog since squeeze:

tremulous (1.1.0-7~squeeze1) stable; urgency=low

  * Stable update, incorporating security fixes from unstable
  * Fix an incorrect bug number in revision -6

 -- Simon McVittie <smcv@debian.org>  Thu, 08 Mar 2012 13:59:24 +0000

tremulous (1.1.0-7) unstable; urgency=medium

  * Add a lintian override for embedded-library libjpeg (#589407) to avoid
    auto-rejection. It is a valid bug, but is not a regression, and fixing
    several long-standing security vulnerabilities seems more important
    than getting rid of an embedded library that is not known to be
    exploitable.

 -- Simon McVittie <smcv@debian.org>  Wed, 22 Feb 2012 10:00:04 +0000

tremulous (1.1.0-6) unstable; urgency=medium

  * Backport patches from ioquake3 to fix long-standing security bugs:
    - CVE-2006-2082: arbitrary file download from server by a malicious client
      (Closes: #660831)
    - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
      COM_StripExtension, exploitable in clients of a malicious server
      (Closes: #660827)
    - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
      malicious server (Closes: #660830)
    - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
      server (Closes: #660832)
    - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
      code execution) in clients of a malicious server (Closes: #660834)
    - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
      code execution) in clients of a malicious server if auto-downloading
      is enabled (Closes: #660836)
  * As a precaution, disable auto-downloading
  * Backport ioquake3 r1141 to fix a potential buffer overflow in error
    handling (not known to be exploitable, but it can't hurt)
  * Add gcc attributes to all printf- and scanf-like functions, and
    fix non-literal format strings (again, none are known to be exploitable)

 -- Simon McVittie <smcv@debian.org>  Wed, 22 Feb 2012 09:07:37 +0000

Please find attached:

* filtered.diff: proposed debdiff with the actual patches filtered out,
  so you don't have to read diff-of-diffs
  (output of: git diff --staged debian/1.1.0-5.. |
  filterdiff -p1 --exclude=debian/patches/\*.patch)

* *.patch: the new patches

Regards,
    Simon
[filtered.diff (text/x-diff, attachment)]
[0010-CVE-2006-2082-do-not-allow-download-of-arbitrary-fil.patch (text/x-diff, attachment)]
[0011-CVE-2006-2236-add-bounds-checking-to-COM_StripExtens.patch (text/x-diff, attachment)]
[0012-CVE-2006-2875-fix-stack-buffer-overflow-in-CL_ParseD.patch (text/x-diff, attachment)]
[0013-CVE-2006-3324-fix-arbitrary-file-overwrite-on-client.patch (text/x-diff, attachment)]
[0014-CVE-2006-3325-fix-arbitrary-cvar-overwriting.patch (text/x-diff, attachment)]
[0015-CVE-2011-3012-CVE-2011-2764-backport-from-ioquake3-t.patch (text/x-diff, attachment)]
[0016-Always-behave-as-if-cl_allowDownload-was-false.patch (text/x-diff, attachment)]
[0017-Sys_Error-do-not-overflow-if-an-error-message-exceed.patch (text/x-diff, attachment)]
[0018-Avoid-non-literal-format-strings.patch (text/x-diff, attachment)]
[0019-Annotate-printf-and-scanf-like-functions-with-gcc-at.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#663104; Package release.debian.org. (Sun, 18 Mar 2012 16:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 18 Mar 2012 16:03:03 GMT) Full text and rfc822 format available.

Message #10 received at 663104@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Simon McVittie <smcv@debian.org>, 663104@bugs.debian.org
Subject: Re: Bug#663104: pu: package tremulous/1.1.0-7~squeeze1 (contrib)
Date: Sun, 18 Mar 2012 15:58:40 +0000
On Thu, 2012-03-08 at 14:12 +0000, Simon McVittie wrote:
> Tremulous 1.1.0-7 (contrib) is believed to fix CVE-2006-2082, CVE-2006-2236,
> CVE-2006-2875, CVE-2006-3324, CVE-2006-3325, CVE-2011-3012, CVE-2011-2764.
> The Security Team have indicated that they do not issue DSAs for contrib
> packages.
> 
> I propose to use a package functionally identical to 1.1.0-7 (differing
> only in its changelog and target distribution) as the stable update;
> I've avoided making any changes not targeted as a security update.

Thanks for working on fixing this in stable, and sorry for the slight
delay in getting back to you.

>   * As a precaution, disable auto-downloading

Specifically, this not only disables auto-downloading but prevents users
from turning it back on should they so wish.  I assume the logic here is
that there may still be security issues lurking which involve untrusted
content and just haven't been found yet?

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#663104; Package release.debian.org. (Sun, 18 Mar 2012 23:42:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 18 Mar 2012 23:42:08 GMT) Full text and rfc822 format available.

Message #15 received at 663104@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 663104@bugs.debian.org
Subject: Re: Bug#663104: pu: package tremulous/1.1.0-7~squeeze1 (contrib)
Date: Sun, 18 Mar 2012 22:17:48 +0000
On 18/03/12 15:58, Adam D. Barratt wrote:
> On Thu, 2012-03-08 at 14:12 +0000, Simon McVittie wrote:
>>   * As a precaution, disable auto-downloading
> 
> Specifically, this not only disables auto-downloading but prevents users
> from turning it back on should they so wish.  I assume the logic here is
> that there may still be security issues lurking which involve untrusted
> content and just haven't been found yet?

That, but more so: auto-downloading is known (or at least strongly
suspected) to be unsafe. Auto-downloaded PK3 files can contain
executable bytecode to be run by a JIT compiler or interpreter, and the
sandboxing used in Quake III Arena (and hence Tremulous and early
ioquake3 versions) is rather lacking - it seems to have been designed
for robustness against coding mistakes, but not against malicious bytecode.

The version of ioquake3 that we ship is believed to correct this, but I
wouldn't be happy about backporting 6 years' worth of interpreter/JIT
improvements in a security update: I'd have to replace the whole virtual
machine implementation (JITs for i386, amd64, powerpc and sparc, and a
generic interpreter for the other architectures), and that seems rather
more intrusive than I'd like.

I'm seriously considering knocking out auto-downloading in our ioquake3
packages (used by our quake3 and openarena packages) in time for wheezy,
too - it's less important there, because a more modern ioquake3 is
better-sandboxed, but it's still likely to mitigate future security issues.

Disabling auto-downloading will also mitigate any exploits we might find
in loaders for non-executable formats (images, models, sounds), but
that's not the primary purpose of this change.

Regards,
    S




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#663104; Package release.debian.org. (Sat, 24 Mar 2012 16:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 24 Mar 2012 16:57:07 GMT) Full text and rfc822 format available.

Message #20 received at 663104@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Simon McVittie <smcv@debian.org>, 663104@bugs.debian.org
Subject: Re: Bug#663104: pu: package tremulous/1.1.0-7~squeeze1 (contrib)
Date: Sat, 24 Mar 2012 16:53:41 +0000
On Sun, 2012-03-18 at 22:17 +0000, Simon McVittie wrote:
> On 18/03/12 15:58, Adam D. Barratt wrote:
> > Specifically, this not only disables auto-downloading but prevents users
> > from turning it back on should they so wish.  I assume the logic here is
> > that there may still be security issues lurking which involve untrusted
> > content and just haven't been found yet?
> 
> That, but more so: auto-downloading is known (or at least strongly
> suspected) to be unsafe. Auto-downloaded PK3 files can contain
> executable bytecode to be run by a JIT compiler or interpreter, and the
> sandboxing used in Quake III Arena (and hence Tremulous and early
> ioquake3 versions) is rather lacking - it seems to have been designed
> for robustness against coding mistakes, but not against malicious bytecode.

Thanks for the explanation, and apologies for the delay in getting back
to you again; please feel free to go ahead with the upload.

Regards,

Adam





Added tag(s) squeeze and confirmed. Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 24 Mar 2012 16:57:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#663104; Package release.debian.org. (Sun, 25 Mar 2012 18:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 25 Mar 2012 18:09:07 GMT) Full text and rfc822 format available.

Message #27 received at 663104@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 663104@bugs.debian.org
Subject: Re: Bug#663104: pu: package tremulous/1.1.0-7~squeeze1 (contrib)
Date: Sun, 25 Mar 2012 19:07:01 +0100
On 24/03/12 16:53, Adam D. Barratt wrote:
> Thanks for the explanation, and apologies for the delay in getting back
> to you again; please feel free to go ahead with the upload.

Uploaded.

Thanks,
    S





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#663104; Package release.debian.org. (Mon, 26 Mar 2012 18:27:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 26 Mar 2012 18:27:08 GMT) Full text and rfc822 format available.

Message #32 received at 663104@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Simon McVittie <smcv@debian.org>, 663104@bugs.debian.org
Subject: Re: Bug#663104: pu: package tremulous/1.1.0-7~squeeze1 (contrib)
Date: Mon, 26 Mar 2012 19:21:41 +0100
tag 663104 + pending
thanks

On Sun, 2012-03-25 at 19:07 +0100, Simon McVittie wrote:
> On 24/03/12 16:53, Adam D. Barratt wrote:
> > Thanks for the explanation, and apologies for the delay in getting back
> > to you again; please feel free to go ahead with the upload.
> 
> Uploaded.

Flagged for acceptance; thanks.

Regards,

Adam





Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Mon, 26 Mar 2012 18:27:11 GMT) Full text and rfc822 format available.

Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Sat, 12 May 2012 12:36:54 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Sat, 12 May 2012 12:36:55 GMT) Full text and rfc822 format available.

Message #39 received at 663104-done@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: <623148-done@bugs.debian.org>, <657722-done@bugs.debian.org>, <658424-done@bugs.debian.org>, <660693-done@bugs.debian.org>, <661473-done@bugs.debian.org>, <661652-done@bugs.debian.org>, <663104-done@bugs.debian.org>, <664567-done@bugs.debian.org>, <666001-done@bugs.debian.org>, <666222-done@bugs.debian.org>, <666687-done@bugs.debian.org>, <668456-done@bugs.debian.org>, <670730-done@bugs.debian.org>, <671449-done@bugs.debian.org>
Subject: Closing requests for packages included in 6.0.5
Date: Sat, 12 May 2012 13:32:55 +0100
Version: 6.0.5

Hi,

All of the packages referenced by the closed bugs were included in the 
6.0.5 point release which occured today.

Regards,

Adam




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Jun 2012 07:33:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:05:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.