Debian Bug report logs - #857714
iortcw: CVE-2017-6903: privilege escalation by auto-downloaded files

version graph

Package: iortcw; Maintainer for iortcw is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>;

Reported by: Daniel Gibson <metalcaedes@gmail.com>

Date: Tue, 14 Mar 2017 04:03:01 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version 1.42b+20150930+dfsg1-1

Fixed in version iortcw/1.50a+dfsg1-3

Done: Simon McVittie <smcv@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#857699; Package ioquake3. (Tue, 14 Mar 2017 04:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Gibson <metalcaedes@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Tue, 14 Mar 2017 04:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Gibson <metalcaedes@gmail.com>
To: submit@bugs.debian.org
Subject: ioquake3 has a security vulnerability
Date: Tue, 14 Mar 2017 04:59:15 +0100
Package: ioquake3
Version: 1.36
Severity: grave

Hi,

earlier today ioquake3 fixed a vulnerability that, as far as I 
understand, could let malicious multiplayer servers execute code on 
connecting clients.
It affects all prior versions of ioquake3 (and I think also original 
Quake 3).
Details: 
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/ 


So you should probably update to latest ioq3 git or backport the fix.

Cheers,
Daniel

No longer marked as found in versions 1.36. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 14 Mar 2017 07:15:04 GMT) (full text, mbox, link).

Marked as found in versions ioquake3/1.36+svn2287-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 14 Mar 2017 07:15:05 GMT) (full text, mbox, link).

Added tag(s) security and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 14 Mar 2017 07:15:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#857699; Package ioquake3. (Tue, 14 Mar 2017 08:33:09 GMT) (full text, mbox, link).

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Tue, 14 Mar 2017 08:33:10 GMT) (full text, mbox, link).

Message #16 received at 857699@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: Daniel Gibson <metalcaedes@gmail.com>, 857699@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#857699: ioquake3 has a security vulnerability
Date: Tue, 14 Mar 2017 08:30:36 +0000
Control: tags 857699 + security
Control: clone 857699 -2 -3
Control: reassign -2 iortcw 1.42b+20150930+dfsg1-1
Control: reassign -3 openjk 0~20150430+dfsg1-1

On Tue, 14 Mar 2017 at 04:59:15 +0100, Daniel Gibson wrote:
> earlier today ioquake3 fixed a vulnerability that, as far as I understand,
> could let malicious multiplayer servers execute code on connecting clients.

Thanks for reporting, I'll fix this ASAP.

Looks like I need to teach ioquake3 upstream about coordinated
disclosure, or remind them that their game is in distributions.

> It affects all prior versions of ioquake3 (and I think also original Quake
> 3).
> Details: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/

cc'ing security team for information. No CVE ID yet, I assume ioquake3
upstream will be requesting one (or if not I will).

    S

Bug 857699 cloned as bugs 857714, 857715 Request was from Simon McVittie <smcv@debian.org> to 857699-submit@bugs.debian.org. (Tue, 14 Mar 2017 08:33:10 GMT) (full text, mbox, link).

Bug reassigned from package 'ioquake3' to 'iortcw'. Request was from Simon McVittie <smcv@debian.org> to 857699-submit@bugs.debian.org. (Tue, 14 Mar 2017 08:33:10 GMT) (full text, mbox, link).

No longer marked as found in versions ioquake3/1.36+svn2287-1. Request was from Simon McVittie <smcv@debian.org> to 857699-submit@bugs.debian.org. (Tue, 14 Mar 2017 08:33:11 GMT) (full text, mbox, link).

Marked as found in versions 1.42b+20150930+dfsg1-1. Request was from Simon McVittie <smcv@debian.org> to 857699-submit@bugs.debian.org. (Tue, 14 Mar 2017 08:33:12 GMT) (full text, mbox, link).

Added tag(s) pending and fixed-upstream. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Tue, 14 Mar 2017 10:45:06 GMT) (full text, mbox, link).

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Tue, 14 Mar 2017 10:51:10 GMT) (full text, mbox, link).

Notification sent to Daniel Gibson <metalcaedes@gmail.com>:
Bug acknowledged by developer. (Tue, 14 Mar 2017 10:51:10 GMT) (full text, mbox, link).

Message #31 received at 857714-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: 857714-close@bugs.debian.org
Subject: Bug#857714: fixed in iortcw 1.50a+dfsg1-3
Date: Tue, 14 Mar 2017 10:48:41 +0000
Source: iortcw
Source-Version: 1.50a+dfsg1-3

We believe that the bug you reported is fixed in the latest version of
iortcw, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated iortcw package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Mar 2017 09:37:19 +0000
Source: iortcw
Binary: rtcw rtcw-common rtcw-server
Architecture: source
Version: 1.50a+dfsg1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 857714
Description: 
 rtcw-common - common files for Return to Castle Wolfenstein
 rtcw       - game engine for Return to Castle Wolfenstein
 rtcw-server - standalone server for Return to Castle Wolfenstein
Changes:
 iortcw (1.50a+dfsg1-3) unstable; urgency=high
 .
   * d/gbp.conf: switch branch to debian/stretch for updates during freeze
   * d/patches: Add patches from upstream fixing security vulnerabilities
     - refuse to load potentially auto-downloadable .pk3 files as
       iortcw renderers, iortcw game code, libcurl, or OpenAL drivers
       (mitigation: auto-downloading is off by default, and in Debian
       we do not dlopen libcurl anyway)
     - refuse to load default configuration file names from a .pk3 file
     - protect cl_renderer, cl_curllib, s_aldriver configuration variables so
       game code cannot set them
     - refuse to overwrite files other than *.txt with the dump console
       command
     - refuse to overwrite files other than *.cfg with the writeconfig
       console command
     (Closes: #857714)
Checksums-Sha1: 
 8ce0ab7e6cdb5faa8bc67dd9a386e85f4986c151 2247 iortcw_1.50a+dfsg1-3.dsc
 e4edac62ee8b2fc81a3e399011b409d92cc7e194 31812 iortcw_1.50a+dfsg1-3.debian.tar.xz
Checksums-Sha256: 
 9e9fd42c9c7a48215950bc827f791d50c99d7b64cedcc36493e467f0b6f0d70b 2247 iortcw_1.50a+dfsg1-3.dsc
 8ac7c810902acede665b1e1457c1dd12549a414e28d41123e6704baf2e19a470 31812 iortcw_1.50a+dfsg1-3.debian.tar.xz
Files: 
 42665eac07c13b16c0bfbc838b845ed5 2247 contrib/games optional iortcw_1.50a+dfsg1-3.dsc
 b4a440635daa61d617cc2c9ea9d9208d 31812 contrib/games optional iortcw_1.50a+dfsg1-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAljHw+kACgkQTej/KmPH
zJDGAQ/7Bp1n70xwxsic8sM5Wl++FtG6wUJYJDZYi8phqVgq+q4iNLe7yknvkNWa
itfXlbFBeGHAnagrJ316acKZh3xtaJ5DBsZNhd4Zs8uGfGQVkWK8610FcegIEVGy
UenjuhxqIcoCrzD6gUSOV1TIB13z7fRWhhK+jRD/ILDU1OI3ta17EkfEX6UOu08P
yf+QGG2yaiym74PtzKhykHBjNdiIVCiEq19toVWRB4lxlJ6+YB3FIR7kGm3QxGob
BymV1D2HNbdLnchQdV+Fyfe/ZbfXxIhqCs+WA7W5D+I7XAMN9c4rs7+molDGNAO2
lZ9vn5wEbOuUeVEaGDIXRS2uSvPlThfr0XcWVhp4GjTjds2cnsxfMfmTmjZVCvGD
i7pb7xuzJCk0dC2imoeArszmubnQVtx9HOugF/rgoFO+QxY2IPpzYAiNsZAj81N2
GyWW49Zkr/9NWDCc/KD2LzAbVy+lY53n8kAvZN0e+d5lIX463iQvk7C5Ix52S6AK
JWekFtU78Yxu1ZtHpi1Xw+46FH2CnIpfrM8s4YWYv9o4u7/tlKa4M8bpu3On3G9E
3mmQEE/UR2ap26dYQ9iL0h6x++70B2uH7O2Yi+8IzgHnnCMTGUAFpvsIzClxyWqX
z8x3td3eVnA97J/9PeOWE7iGhICCJMRjx4fiyaZJ0MBhRdsXGVo=
=4Bhy
-----END PGP SIGNATURE-----

Changed Bug title to 'iortcw: CVE-2017-6903: privilege escalation by auto-downloaded files' from 'ioquake3 has a security vulnerability'. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Tue, 14 Mar 2017 22:33:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 17 Apr 2017 07:25:35 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 14:40:36 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.