Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 04:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Gibson <metalcaedes@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 04:03:04 GMT) (full text, mbox, link).
Package: ioquake3
Version: 1.36
Severity: grave
Hi,
earlier today ioquake3 fixed a vulnerability that, as far as I
understand, could let malicious multiplayer servers execute code on
connecting clients.
It affects all prior versions of ioquake3 (and I think also original
Quake 3).
Details:
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
So you should probably update to latest ioq3 git or backport the fix.
Cheers,
Daniel
No longer marked as found in versions 1.36.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 14 Mar 2017 07:15:04 GMT) (full text, mbox, link).
Marked as found in versions ioquake3/1.36+svn2287-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 14 Mar 2017 07:15:05 GMT) (full text, mbox, link).
Added tag(s) security and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 14 Mar 2017 07:15:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 08:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 08:33:10 GMT) (full text, mbox, link).
To: Daniel Gibson <metalcaedes@gmail.com>, 857699@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#857699: ioquake3 has a security vulnerability
Date: Tue, 14 Mar 2017 08:30:36 +0000
Control: tags 857699 + security
Control: clone 857699 -2 -3
Control: reassign -2 iortcw 1.42b+20150930+dfsg1-1
Control: reassign -3 openjk 0~20150430+dfsg1-1
On Tue, 14 Mar 2017 at 04:59:15 +0100, Daniel Gibson wrote:
> earlier today ioquake3 fixed a vulnerability that, as far as I understand,
> could let malicious multiplayer servers execute code on connecting clients.
Thanks for reporting, I'll fix this ASAP.
Looks like I need to teach ioquake3 upstream about coordinated
disclosure, or remind them that their game is in distributions.
> It affects all prior versions of ioquake3 (and I think also original Quake
> 3).
> Details: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
cc'ing security team for information. No CVE ID yet, I assume ioquake3
upstream will be requesting one (or if not I will).
S
Bug 857699 cloned as bugs 857714, 857715
Request was from Simon McVittie <smcv@debian.org>
to 857699-submit@bugs.debian.org.
(Tue, 14 Mar 2017 08:33:10 GMT) (full text, mbox, link).
Added tag(s) pending and fixed-upstream.
Request was from Simon McVittie <smcv@debian.org>
to control@bugs.debian.org.
(Tue, 14 Mar 2017 10:45:07 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Tue, 14 Mar 2017 11:36:05 GMT) (full text, mbox, link).
Notification sent
to Daniel Gibson <metalcaedes@gmail.com>:
Bug acknowledged by developer.
(Tue, 14 Mar 2017 11:36:05 GMT) (full text, mbox, link).
Subject: Bug#857699: fixed in ioquake3 1.36+u20161101+dfsg1-2
Date: Tue, 14 Mar 2017 11:34:06 +0000
Source: ioquake3
Source-Version: 1.36+u20161101+dfsg1-2
We believe that the bug you reported is fixed in the latest version of
ioquake3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 857699@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated ioquake3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Mar 2017 10:14:37 +0000
Source: ioquake3
Binary: ioquake3 ioquake3-server
Architecture: source
Version: 1.36+u20161101+dfsg1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 857699
Description:
ioquake3 - Game engine for 3D first person shooter games
ioquake3-server - Engine for 3D first person shooter games - server and common file
Changes:
ioquake3 (1.36+u20161101+dfsg1-2) unstable; urgency=high
.
* d/gbp.conf: switch branch to debian/stretch for updates during freeze
* d/patches: Add patches from upstream fixing security vulnerabilities
- refuse to load potentially auto-downloadable .pk3 files as
ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers
(mitigation: auto-downloading is off by default, and in Debian
we do not dlopen libcurl anyway)
- refuse to load default configuration file names from a .pk3 file
- protect cl_renderer, cl_curllib, s_aldriver configuration variables so
game code cannot set them
- refuse to overwrite files other than *.txt with the dump console
command
- refuse to overwrite files other than *.cfg with the writeconfig
console command
(Closes: #857699)
* Add patch adapted from openarena to request confirmation before
enabling auto-downloading if the native-code Quake III Arena UI is
in use. Unfortunately this is not the case with quake3_46, but
I'm adding this patch in the hope that the wrapper script can
be fixed before the stretch release.
Checksums-Sha1:
1adab89d94cbca12e0b179c28fe3129909d926dd 2282 ioquake3_1.36+u20161101+dfsg1-2.dsc
7c24401725022ed771ebff6fbe5e34ae0c62c232 23452 ioquake3_1.36+u20161101+dfsg1-2.debian.tar.xz
Checksums-Sha256:
86a1fe924bdee35b8cab6c6bc251d234be0c2215b42b07d4b41cc0014b1449cd 2282 ioquake3_1.36+u20161101+dfsg1-2.dsc
535409e893435114084a6be622a184e8f0ca363b6b55b07f20b7a6032d43944b 23452 ioquake3_1.36+u20161101+dfsg1-2.debian.tar.xz
Files:
f36925586f5c1e7a7c7a49e0982f5bd4 2282 games optional ioquake3_1.36+u20161101+dfsg1-2.dsc
f5274bfa25819640988c0d67f70e2094 23452 games optional ioquake3_1.36+u20161101+dfsg1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAljHz78ACgkQTej/KmPH
zJCiCw//VnaVmg7FtmRo/XW9uef7xN5UsXo+YFoLq7ygALm1NA8PTBZDycQB9qQX
ApCfltshUEXVuPEPbapBvfoux7iqHzQCKDQBa8FJjZiVRwTRZL4vzVSLOIIn1wCI
hKYjeuRnlKbh8kaxeHN4fgpNsznZ9wWSYOYVhL/apiaasuUU4VCVnxVXmASNfJZ+
XFEZnMR3/aovSo9uZr/lFPbqc0NHziRl+/huQj1dfmA5zTPDTLVy5cyRcXxZP69K
BpvLSc890NjDSnwQi65KkhouKYLpWzjOH6b4DlkUEpRGMVLMhkYRfY+TRBiNjE3T
+7s19DJpnMZZG6HWUrAWxbiyMvMNtI9st/7jvyGxp/YZ9Yt23JWBx5bWTcPBTm4t
YN1bburbF3twamfjU8buGP6pzG8bvMMod+EGajxzLbAZKbQyMdcczyaS4wkoGT75
O39feqDM6ySkckjqNhj+zv/dwHITz14QRWT9mMQMNSAkoC94iVoXyroLSJqvFYDB
r14TsLKYHzsYOdfwAc+LVVvBFzb3+RG4hPDqsQIFFNIkLwyyPr2iURtghURT8brQ
kkmhuJSIhw3z4XHyGHusqJhrpNiHmwA0MbQEZ2GmXu2gUR+Ny9Cbl1VoEUxWx91e
QX3WttTkCDq/cNQUMQ3a0qXb4R2XJ0+LuwSrZZm6Uh+1ye8si48=
=giQ/
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 12:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 12:21:03 GMT) (full text, mbox, link).
On Tue, 14 Mar 2017 at 08:30:36 +0000, Simon McVittie wrote:
> On Tue, 14 Mar 2017 at 04:59:15 +0100, Daniel Gibson wrote:
> > earlier today ioquake3 fixed a vulnerability that, as far as I understand,
> > could let malicious multiplayer servers execute code on connecting clients.
> > It affects all prior versions of ioquake3 (and I think also original Quake
> > 3).
> > Details: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
Hi security team,
I would like to propose this debdiff for stable (assuming that testing it
later today goes as expected - I don't have access to a jessie system
that can run games right now).
The other change I made in unstable (putting the auto-downloading option
for Quake III Arena behind an "are you sure?" prompt) is not straightforward,
and only affects code without security support (quake3 but not openarena),
so I have omitted it from this version.
S
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 13:36:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 13:36:12 GMT) (full text, mbox, link).
Subject: Re: Bug#857699: ioquake3 has a security vulnerability
Date: Tue, 14 Mar 2017 14:35:04 +0100
On Tue, Mar 14, 2017 at 12:18:27PM +0000, Simon McVittie wrote:
> On Tue, 14 Mar 2017 at 08:30:36 +0000, Simon McVittie wrote:
> > On Tue, 14 Mar 2017 at 04:59:15 +0100, Daniel Gibson wrote:
> > > earlier today ioquake3 fixed a vulnerability that, as far as I understand,
> > > could let malicious multiplayer servers execute code on connecting clients.
> > > It affects all prior versions of ioquake3 (and I think also original Quake
> > > 3).
> > > Details: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
>
> Hi security team,
> I would like to propose this debdiff for stable (assuming that testing it
> later today goes as expected - I don't have access to a jessie system
> that can run games right now).
If you can't easily obtain access to a jessie system, I can run the tests
myself (they'd be limited to openarena, though).
> The other change I made in unstable (putting the auto-downloading option
> for Quake III Arena behind an "are you sure?" prompt) is not straightforward,
> and only affects code without security support (quake3 but not openarena),
> so I have omitted it from this version.
Makes sense, please upload.
Remember that ioquake3 is new in stable-security, so needs to be built with
"-sa".
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 15:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Gibson <metalcaedes@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 15:51:02 GMT) (full text, mbox, link).
To: Simon McVittie <smcv@debian.org>, 857699@bugs.debian.org
Subject: Re: Bug#857699: ioquake3 has a security vulnerability
Date: Tue, 14 Mar 2017 16:48:46 +0100
On 14.03.2017 09:30, Simon McVittie wrote:
>
> Thanks for reporting, I'll fix this ASAP.
Awesome, thanks for the prompt reaction!
>
> Looks like I need to teach ioquake3 upstream about coordinated
> disclosure, or remind them that their game is in distributions.
>
That might be a good idea, I had the impression they didn't really know
how to inform package maintainers properly - TBH, neither do I (I'm not
involved in ioq3, but in other open source game ports).
Is there a mailing list or something similar for security issues that
reaches package maintainers of all distros?
Cheers,
Daniel
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 16:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 16:48:05 GMT) (full text, mbox, link).
Cc: Daniel Gibson <metalcaedes@gmail.com>, 857699@bugs.debian.org,
security@debian.org
Subject: Re: Bug#857699: ioquake3 has a security vulnerability
Date: Tue, 14 Mar 2017 17:44:26 +0100
Hi Simon,
On Tue, Mar 14, 2017 at 08:30:36AM +0000, Simon McVittie wrote:
> cc'ing security team for information. No CVE ID yet, I assume ioquake3
> upstream will be requesting one (or if not I will).
heard anything about that yet? If so can you request a CVE via
https://cveform.mitre.org/ and loop back the assignment as well to us
(or directly to oss-security)?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 17:36:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Gibson <metalcaedes@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 17:36:11 GMT) (full text, mbox, link).
To: Salvatore Bonaccorso <carnil@debian.org>, Simon McVittie <smcv@debian.org>
Cc: 857699@bugs.debian.org, security@debian.org
Subject: Re: Bug#857699: ioquake3 has a security vulnerability
Date: Tue, 14 Mar 2017 18:34:52 +0100
Hi,
I heard upstream is not gonna create a CVE, so go ahead..
Cheers,
Daniel
On 14.03.2017 17:44, Salvatore Bonaccorso wrote:
> Hi Simon,
>
> On Tue, Mar 14, 2017 at 08:30:36AM +0000, Simon McVittie wrote:
>> cc'ing security team for information. No CVE ID yet, I assume ioquake3
>> upstream will be requesting one (or if not I will).
>
> heard anything about that yet? If so can you request a CVE via
> https://cveform.mitre.org/ and loop back the assignment as well to us
> (or directly to oss-security)?
>
> Regards,
> Salvatore
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 17:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Victor Roemer <vroemer@badsec.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 17:42:03 GMT) (full text, mbox, link).
Hi guys,
I originally reported the vulnerability to ioquake3. I'd like to help with
the CVE however I can.
I'm not familiar with CVE reports which is why one hasn't already been
written.
Thanks,
Victor
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 17:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Victor Roemer <vroemer@badsec.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 17:42:04 GMT) (full text, mbox, link).
Hi guys,
I originally disclosed the bug to ioquake3. I would like to help however I
can with the CVE.
I am not familiar with the CVE creation process which is why one has been
created by myself.
Thanks
Victor
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 19:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 19:33:06 GMT) (full text, mbox, link).
To: Victor Roemer <vroemer@badsec.org>, 857699@bugs.debian.org
Subject: Re: Bug#857699: ioquake3 has a security vulnerability
Date: Tue, 14 Mar 2017 19:31:12 +0000
On Tue, 14 Mar 2017 at 13:38:37 -0400, Victor Roemer wrote:
> I originally reported the vulnerability to ioquake3. I'd like to help with the
> CVE however I can.
> I'm not familiar with CVE reports which is why one hasn't already been written.
MITRE's new process really doesn't help matters there...
I've requested a CVE ID, with this bug given as a contact address.
Hopefully that will work.
Sorry, I didn't see this email until after I had sent the CVE request,
and the ioquake3 maintainers didn't credit you in their advisory, so
the initial CVE request doesn't credit you either. That wasn't intentional
on my part.
S
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 19:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to CVE Request <CVE-Request@mitre.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 19:33:07 GMT) (full text, mbox, link).
To: "857699@bugs.debian.org" <857699@bugs.debian.org>
Subject: CVE Request 306054 for CVE ID Request
Date: Tue, 14 Mar 2017 19:26:09 +0000
Thank you for your submission. It will be reviewed by a CVE Assignment Team member.
Changes, additions, or updates to your request can be sent to the CVE Team by replying directly to this email.
Please do not change the subject line, which allows us to effectively track your request.
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html]
{CMI: MCID810430}
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 20:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Victor Roemer <vroemer@badsec.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 20:45:10 GMT) (full text, mbox, link).
Any way we can amend that?
On Tue, Mar 14, 2017 at 3:31 PM, Simon McVittie <smcv@debian.org> wrote:
> On Tue, 14 Mar 2017 at 13:38:37 -0400, Victor Roemer wrote:
> > I originally reported the vulnerability to ioquake3. I'd like to help
> with the
> > CVE however I can.
> > I'm not familiar with CVE reports which is why one hasn't already been
> written.
>
> MITRE's new process really doesn't help matters there...
>
> I've requested a CVE ID, with this bug given as a contact address.
> Hopefully that will work.
>
> Sorry, I didn't see this email until after I had sent the CVE request,
> and the ioquake3 maintainers didn't credit you in their advisory, so
> the initial CVE request doesn't credit you either. That wasn't intentional
> on my part.
>
> S
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 21:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Victor Roemer <vroemer@badsec.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 21:27:06 GMT) (full text, mbox, link).
FYI, The ioquake3.org blog post was updated to reference me as the reporter.
On Tue, Mar 14, 2017 at 4:42 PM, Victor Roemer <vroemer@badsec.org> wrote:
> Any way we can amend that?
>
> On Tue, Mar 14, 2017 at 3:31 PM, Simon McVittie <smcv@debian.org> wrote:
>
>> On Tue, 14 Mar 2017 at 13:38:37 -0400, Victor Roemer wrote:
>> > I originally reported the vulnerability to ioquake3. I'd like to help
>> with the
>> > CVE however I can.
>> > I'm not familiar with CVE reports which is why one hasn't already been
>> written.
>>
>> MITRE's new process really doesn't help matters there...
>>
>> I've requested a CVE ID, with this bug given as a contact address.
>> Hopefully that will work.
>>
>> Sorry, I didn't see this email until after I had sent the CVE request,
>> and the ioquake3 maintainers didn't credit you in their advisory, so
>> the initial CVE request doesn't credit you either. That wasn't intentional
>> on my part.
>>
>> S
>>
>
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>: Bug#857699; Package ioquake3.
(Tue, 14 Mar 2017 21:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to <cve-request@mitre.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Tue, 14 Mar 2017 21:30:04 GMT) (full text, mbox, link).
Subject: Re: [scr306054] idTech3 (Quake 3 engine) forks - all prior to 2017-03-14
Date: Tue, 14 Mar 2017 17:26:34 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> [Suggested description]
> In ioquake3 before 2017-03-14, the auto-downloading feature
> has insufficient content restrictions.
> This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and
> other id Tech 3 (aka Quake 3 engine) forks.
> A malicious auto-downloaded file can trigger loading of crafted
> auto-downloaded files as native code DLLs.
> A malicious auto-downloaded file can contain configuration defaults
> that override the user's.
> Executable bytecode in a malicious auto-downloaded file can set
> configuration variables to values that will result in unwanted native
> code DLLs being loaded, resulting in sandbox escape.
>
> ------------------------------------------
>
> [Additional Information]
> The ioquake3 maintainers recommend not enabling auto-downloading, but
> this recommendation has not so far been sufficiently strong that they
> have removed the relevant feature.
>
> It is unclear whether the QVM bytecode interpreter is intended to be a
> security/sandboxing feature, or just a portability mechanism. The
> ioquake3 maintainers do not recommend treating it as a security
> feature, but they typically treat concrete examples of arbitrary code
> execution as security vulnerabilities anyway.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Insufficiently careful handling of auto-downloaded content, similar to CWE-494
>
> ------------------------------------------
>
> [Vendor of Product]
> Originally: id Software. De facto maintainers: ioquake3.org community.
> Downstream vendors: Debian, Fedora, Ubuntu etc.; OpenArena, OpenJK,
> iortcw, etc.
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Quake III Arena, ioquake3, OpenArena, OpenJK, iortcw, probably all
> other idTech3 (Quake 3 engine) forks - all prior to 2017-03-14
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Connect to a malicious game server, or connect to a non-malicious game
> server in the presence of a malicious man-in-the-middle
>
> ------------------------------------------
>
> [Reference]
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699
> https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
> https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
> https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d
> https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372
> https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7
> https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20
> https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1
> https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Victor Roemer <vroemer@badsec.org>
Use CVE-2017-6903.
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYyF/BAAoJEHb/MwWLVhi2B0gP/jdxV2mDeGHnpUPaeAtrU4BX
qHmAmPAYvp5qmVIIerda7sZNziRGpA8AYXLfyetJILfNU7uXQ77o339qv9o8r3OI
cfSIT6TGucPVZpF2zxGbjtuiiJwKd/WNgu4Q0Okhxu4hQgRwAHJgATb7LBhRTjpf
FwRgblsTrL1CYr9oOWn+Zab1c5tE0bydqu5OaVntG80usJvnDRFIj+QcNxaOtAFT
KmpJBYOuBo/+M/WlE8nQWPaImZNZSY91w8qFeUk3DLNZYAjDI4Ap/eA74VsnXp/8
AZnn4NRbOa4toSidB6ZwewWA7ND29AD2ERTxP1cAroG8m04cPdt7sV0fo/GYkKYU
mCgHMEzgyiD46v5pb3Xp9eY5AHA1XRbwadADnjgogN2AVYdXN0beh6nW9BOAi3ez
Jit05+AObgZBUTsGPfO87U57GMcz2A6PNEp0VIjfPzazmRIgV7AZ3I5Bs1iMu8pn
MOIAqErn5L/Ykb6xrfmUvHlGHX2NvhBhGGtC1/ijbX8tLyhwKlvMxzMx2lHvQGue
cG3zaxqHrNQs0ab2qax4EEjp5OgZ5EAirMmzYLV16mLG4HCnMcUZ1eIsxuCQCbAZ
P+PAcn1IP723p7lA9HeAgqvIdYnUNhWJMjYfzr7nPgPggWFOIzDjO0tm4dHMA4hK
W8C2FS348X+nPsQLhEW9
=fvvu
-----END PGP SIGNATURE-----
Changed Bug title to 'ioquake3: CVE-2017-6903: privilege escalation by auto-downloaded files' from 'ioquake3 has a security vulnerability'.
Request was from Simon McVittie <smcv@debian.org>
to control@bugs.debian.org.
(Tue, 14 Mar 2017 22:33:02 GMT) (full text, mbox, link).
Added indication that 857699 affects quake3 and openarena
Request was from Simon McVittie <smcv@debian.org>
to control@bugs.debian.org.
(Tue, 14 Mar 2017 22:33:03 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Fri, 24 Mar 2017 12:36:23 GMT) (full text, mbox, link).
Notification sent
to Daniel Gibson <metalcaedes@gmail.com>:
Bug acknowledged by developer.
(Fri, 24 Mar 2017 12:36:23 GMT) (full text, mbox, link).
Subject: Bug#857699: fixed in ioquake3 1.36+u20140802+gca9eebb-2+deb8u1
Date: Fri, 24 Mar 2017 12:32:29 +0000
Source: ioquake3
Source-Version: 1.36+u20140802+gca9eebb-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
ioquake3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 857699@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated ioquake3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Mar 2017 22:29:41 +0000
Source: ioquake3
Binary: ioquake3 ioquake3-server ioquake3-dbg
Architecture: source amd64
Version: 1.36+u20140802+gca9eebb-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
ioquake3 - Game engine for 3D first person shooter games
ioquake3-dbg - debug symbols for the ioquake3 game engine
ioquake3-server - Standalone server for ioQuake3 based games
Closes: 857699
Changes:
ioquake3 (1.36+u20140802+gca9eebb-2+deb8u1) jessie-security; urgency=high
.
* d/gbp.conf: switch branch to debian/jessie
* d/patches: Add patches from upstream fixing security vulnerabilities
- refuse to load potentially auto-downloadable .pk3 files as
ioquake3 renderers, ioquake3 game code, libcurl, or OpenAL drivers
(mitigation: auto-downloading is off by default, and in Debian
we do not dlopen libcurl anyway)
- refuse to load default configuration file names from a .pk3 file
- protect cl_renderer, cl_curllib, s_aldriver configuration variables so
game code cannot set them
- refuse to overwrite files other than *.txt with the dump console
command
- refuse to overwrite files other than *.cfg with the writeconfig
console command
(Closes: #857699; CVE-2017-6903)
Checksums-Sha1:
bdd735c15c0f0dfb6cea1a4fc050cd59d90c8418 2487 ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.dsc
4d6782c17e106c9a5f3c03872d6d8e75941e2008 1876668 ioquake3_1.36+u20140802+gca9eebb.orig.tar.xz
2cbc3cda14617aaa86bfd7dbfae8ee03927cf8c3 19520 ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.debian.tar.xz
e4de5d55625b0c5dfbd4a61a49bf2ed8dc35450f 1465252 ioquake3_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
0664c2d59fcb025f98fb0723142d19f62e76533f 855718 ioquake3-server_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
f8b1ed5dd6b5a0beea5244de2f87e5662cf9cd79 5094952 ioquake3-dbg_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
Checksums-Sha256:
308ca0fe3aa91e2c129db0d8f89e7830e7c9d1a3e77c25d8457240fef6eb0a90 2487 ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.dsc
436e83a5754a4a7106d787aba58454f9cc0d99d6476e20e4bd448aa6a025987b 1876668 ioquake3_1.36+u20140802+gca9eebb.orig.tar.xz
879e2e6951e1e221d9da2c1208ff332d3aa866a0dd707492f21d6d4b5cf1ce71 19520 ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.debian.tar.xz
c40adcbf4882370b7b08e571d5f28968987252bd3859678d0ebe272ccf3852e9 1465252 ioquake3_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
2ced31044609186b1f134303cf183e2781b86f761a5f0599fa577258c3340754 855718 ioquake3-server_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
bcf6cc1843b23a07c87a022e39f51ddbec497edd2411f8eae14e492fe5f5b2b9 5094952 ioquake3-dbg_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
Files:
4dd04d5f454ee0e2097d9baadbbdd946 2487 games optional ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.dsc
c2c32361212294bc8a6f032f97e06832 1876668 games optional ioquake3_1.36+u20140802+gca9eebb.orig.tar.xz
2f92dc6560e66b9ffbc2f63f4a050ce8 19520 games optional ioquake3_1.36+u20140802+gca9eebb-2+deb8u1.debian.tar.xz
4fb5f8dadafb1e2819a82bb33d97f3ba 1465252 games optional ioquake3_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
07866243a3e599f500f70dd60e7faab3 855718 games optional ioquake3-server_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
0ef15e7a82dce3d3255282c5ea1a31bb 5094952 debug extra ioquake3-dbg_1.36+u20140802+gca9eebb-2+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAljIdNAACgkQTej/KmPH
zJD57g//evpyzZJifwB3HE5nnUqro6efoL2+BxMu9rQ2XJrNHScmauLmh509lRlX
f78AHqYouHb1Bij10JgOJgrkpGoTaniB4JTvCyuMw8YuVpcGQMRoW/fn1f2oVXba
HH3Lf5ksHaS+s2V69rPYRqMlTJCZbIIWzUI9civvO/OxmX81wxCeodNeKa/Q321E
6erQ7i3RqQR1g4hTm/a9WPGUeOCXgSyNdkLcxR6QuFj50tHrZYTmpVAmV4BwQdP7
QpA1GYCxFzHpTC7WTBRo46SrwayRYP16tWD0+zWGR8cIimzal/QQhN6UMlXgXNOd
nWac8bvvT06raha271EJk3895yXBlKOkJSQ1kVIdvfGhAmWm4L+071VM5qk0YHM2
zhyFRGD8UYwHDmalvul8vVLPUR1hx9y/kcKVPbGGzZr202peUkjiITQBJe7Ctp8g
H11rLsFNkW6FZBKY7XlQhEpSRWmirC7Y1qS7RRlAFqFAvhWKeZ+w3NKejmle9JTF
RrADHcKurjVLGoT1Zo4SmmIt38EaJUHe0Ooj6T6uEfhEN6scob09Gj1RP6ZAxbt1
PjyP6fqohWBEXOGYAwKlnjVXB7mDik63W1372nb18RuBrFz1Jj3fXaYMnou89MNa
TNEhUuB870Mqh0kINIWq95n0Z56S5OhJeKoikSMoTxy1PyWAsh4=
=QpKT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Jun 2019 08:45:16 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.