Debian Bug report logs - #665842
tremulous: [CVE-2010-5077] traffic amplification via getstatus requests

version graph

Package: tremulous; Maintainer for tremulous is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>;

Reported by: Simon McVittie <smcv@debian.org>

Date: Mon, 26 Mar 2012 14:45:01 UTC

Severity: serious

Tags: security

Found in version tremulous/1.1.0-5

Fixed in version tremulous/1.1.0-8

Done: Simon McVittie <smcv@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#665842; Package tremulous. (Mon, 26 Mar 2012 14:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Mon, 26 Mar 2012 14:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tremulous: traffic amplification via spoofed getstatus requests
Date: Mon, 26 Mar 2012 15:42:26 +0100
Package: tremulous
Version: 1.1.0-5
Severity: serious
Tags: security
Justification: RC in maintainer's opinion, facilitates DoS against others

It has been discovered that spoofed "getstatus" UDP requests are used by
attackers to direct status responses from multiple Quake 3-based servers
to a victim, as a traffic amplification mechanism for a denial of service
attack on that victim. Tremulous 1.1.0 appears to be vulnerable to this.

This was fixed in ioquake3 r1762, and was reported against openarena/squeeze
as Bug #665656. The patch is likely to backport nicely to Tremulous too.

If a CVE ID is allocated for this vulnerability, please reference
ioquake3 r1762 prominently in any advisory.

More details in <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656>,
including a list of affected versions. The short version is that Tremulous
svn is OK, but both current releases (1.1.0 and GPP1) are vulnerable.

    S




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#665842; Package tremulous. (Mon, 26 Mar 2012 19:51:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Mon, 26 Mar 2012 19:51:11 GMT) Full text and rfc822 format available.

Message #10 received at 665842@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Simon McVittie <smcv@debian.org>, 665656@bugs.debian.org, security@debian.org, 665842@bugs.debian.org
Subject: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack
Date: Mon, 26 Mar 2012 20:48:05 +0100
retitle 665656 openarena-server: [CVE-2010-5077] traffic amplification
via getstatus requests
retitle 665842 tremulous: [CVE-2010-5077] traffic amplification via
getstatus requests
thanks

On 26/03/12 11:23, Simon McVittie wrote:
> It has been discovered that spoofed "getstatus" UDP requests are being
> used by attackers[0][1][2][3] to direct status responses from multiple
> Quake 3-based servers to a victim, as a traffic amplification mechanism
> for a denial of service attack on that victim.
> 
> Open-source games derived from the Quake 3 engine are typically based on
> ioquake3 [4], a popular fork of that engine. This vulnerability was
> fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a
> rate-limit to the getstatus request. Like several other known and fixed
> vulnerabilities, it is not fixed in the latest official ioquake3 release
> (1.36, April 2009).
> 
> If a CVE ID is allocated for this vulnerability, please reference
> ioquake3 r1762 prominently in any advisory.

CVE-2010-5077 has now been allocated for this.





Changed Bug title to 'tremulous: [CVE-2010-5077] traffic amplification via' from 'tremulous: traffic amplification via spoofed getstatus requests' Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Mon, 26 Mar 2012 19:51:25 GMT) Full text and rfc822 format available.

Changed Bug title to 'tremulous: [CVE-2010-5077] traffic amplification via getstatus requests' from 'tremulous: [CVE-2010-5077] traffic amplification via' Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Mon, 26 Mar 2012 19:57:08 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Tue, 27 Mar 2012 10:08:25 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#665842; Package tremulous. (Tue, 27 Mar 2012 10:39:34 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Tue, 27 Mar 2012 10:39:36 GMT) Full text and rfc822 format available.

Message #21 received at 665842@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 665842@bugs.debian.org
Subject: Re: Bug#665842: tremulous: traffic amplification via spoofed getstatus requests
Date: Tue, 27 Mar 2012 11:35:32 +0100
Backported patches apply and build, but have not been tested (at all).
I'll upload to unstable when I've had a chance to test them.

I've asked upstream whether there's anything else non-obvious that will
need backporting...

    S




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#665842; Package tremulous. (Tue, 27 Mar 2012 19:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Markus Koschany <apo@gambaru.de>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Tue, 27 Mar 2012 19:21:05 GMT) Full text and rfc822 format available.

Message #26 received at 665842@bugs.debian.org (full text, mbox):

From: Markus Koschany <apo@gambaru.de>
To: 665842@bugs.debian.org, Simon McVittie <smcv@debian.org>
Subject: Ready for testing tremulous
Date: Tue, 27 Mar 2012 20:42:03 +0200
[Message part 1 (text/plain, inline)]
Hi,

i think i could help you with testing the new packages. My server seems
to be the perfect place. Could you upload them to experimental or
something else?

Regards
Markus

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Tue, 27 Mar 2012 21:54:11 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Tue, 27 Mar 2012 21:54:11 GMT) Full text and rfc822 format available.

Message #31 received at 665842-close@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 665842-close@bugs.debian.org
Subject: Bug#665842: fixed in tremulous 1.1.0-8
Date: Tue, 27 Mar 2012 21:52:07 +0000
Source: tremulous
Source-Version: 1.1.0-8

We believe that the bug you reported is fixed in the latest version of
tremulous, which is due to be installed in the Debian FTP archive:

tremulous-doc_1.1.0-8_all.deb
  to contrib/t/tremulous/tremulous-doc_1.1.0-8_all.deb
tremulous-server_1.1.0-8_amd64.deb
  to contrib/t/tremulous/tremulous-server_1.1.0-8_amd64.deb
tremulous_1.1.0-8.debian.tar.gz
  to contrib/t/tremulous/tremulous_1.1.0-8.debian.tar.gz
tremulous_1.1.0-8.dsc
  to contrib/t/tremulous/tremulous_1.1.0-8.dsc
tremulous_1.1.0-8_amd64.deb
  to contrib/t/tremulous/tremulous_1.1.0-8_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 665842@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated tremulous package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 27 Mar 2012 20:33:10 +0100
Source: tremulous
Binary: tremulous tremulous-server tremulous-doc
Architecture: source amd64 all
Version: 1.1.0-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 tremulous  - Aliens vs Humans, team based FPS game with elements of an RTS
 tremulous-doc - Tremulous documentation
 tremulous-server - Tremulous server
Closes: 665842
Changes: 
 tremulous (1.1.0-8) unstable; urgency=medium
 .
   * Backport ioquake3 r1762, r1763, r1898 to rate-limit getstatus and
     rcon connectionless packets, to avoid their use for traffic amplification.
     CVE-2010-5077 (Closes: #665842)
   * Fix an incorrect bug number in revision -6
Checksums-Sha1: 
 6b29db511d7ab47f955b850a24b015cc0d6355eb 1992 tremulous_1.1.0-8.dsc
 2d7c4044ebc000c3248dc7c4efa16ff4b975d349 41059 tremulous_1.1.0-8.debian.tar.gz
 0cedd159bcef6d755b79ad2df172fa7c1c26d509 840670 tremulous_1.1.0-8_amd64.deb
 aa2525db15c9cf3adf02f18f4f47705cd736e153 434686 tremulous-server_1.1.0-8_amd64.deb
 19d9edf64951bf1c4d2e2d16e5c544e09017f2e9 646030 tremulous-doc_1.1.0-8_all.deb
Checksums-Sha256: 
 fe68da6f3c3357ec79daa133bc506a97fb726e9a357e9124ff570f7482d4b247 1992 tremulous_1.1.0-8.dsc
 a39629041fd9081b904eb494dee711017f8059c8810c085243c05bdd7ecb382e 41059 tremulous_1.1.0-8.debian.tar.gz
 d4c27693c284b054107915e4b6534fc88f032a4c3230c2c6e72db3e0cb2a5c4c 840670 tremulous_1.1.0-8_amd64.deb
 2418dd59ff88644d764fdbc816c274a1785f5829372a4793d5b3d8f7118948c4 434686 tremulous-server_1.1.0-8_amd64.deb
 07122addc0931a727c39449bfd44b2e29d921274d7bd621df3b85a483b4a74fe 646030 tremulous-doc_1.1.0-8_all.deb
Files: 
 2d4a56ef9730b1d518277bcf9e698b4b 1992 contrib/games optional tremulous_1.1.0-8.dsc
 b092dd44352095748f2b5abfb536eabc 41059 contrib/games optional tremulous_1.1.0-8.debian.tar.gz
 af3958543076c61c773c7389258a013c 840670 contrib/games optional tremulous_1.1.0-8_amd64.deb
 5ece9019303c84a1ca0b94dac8366609 434686 contrib/games optional tremulous-server_1.1.0-8_amd64.deb
 3ba76835523cf85286ff9658d46be55a 646030 contrib/doc optional tremulous-doc_1.1.0-8_all.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBT3ImoU3o/ypjx8yQAQgZaQ//TPsU0/GElb1jeV7mNbdOZJxWVelX35p5
zDCZgu4umKs8UDqiT1goO5d9e6lEHGpJ5pOY2IW6auCpnUPIZ3uhnV0KJUEeVK7R
ZkJZVjul1DMQ+30enWHzGkD2SIxX/3MP2OcSFY/IUBIVduzXzGdBp9+bY9Qb1+D5
XOVnbhM9nJyp+TX73MjHTmjQKkl5Pl0oXiCNpDO6RrRpc6b1wBF+UVUQd3IBYLR6
gpj7Yt4XhduXutJXYmTrWXfNwFEHvx4I8dIKrF7mW7tc03BC/96JI0G87+zStjYG
v7a6NCG7kVjIo/L2iliwP2nYFlTuO+KxvG+DP8BgnQIGXaOZVRcSHt/c4pkPmhZH
2Yc8w69F4BB+yUUKTO4T9rKaPBNoBAqzAN5Kfc4ipzvrMdWTfCJneXZ82guDxi+O
4J0BSIGJzd+ByhaIq4WtH1mw784Xrjp9qJqHJBiCpqO+eHpi1jDTkMP+0V+9Qbdt
Q/FaccPJIopeobNTmZhx3ePbl7zabnI3xe/6o3qCT8fKWkKS/wM2x8bggoekxUuF
Wq98JjHvJIxNXchFyD0PwxK41bKJgzgjXMUI0G8Lkav6DEfh9whh6XgJWOdL1D2H
7mUpzbahHzzD36eR9WBsxc51t7ulAKwFyUnZlmEmTxiohzl5v7Qfpx4KSwrczX7a
RnwsR/WNbQQ=
=E/KJ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 May 2012 07:41:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 07:08:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.