Debian Bug report logs -
#870811
CVE-2017-11721: read buffer overflow in MSG_ReadBits
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#870725; Package src:ioquake3.
(Fri, 04 Aug 2017 14:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Fri, 04 Aug 2017 14:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ioquake3
Severity: grave
Tags: security
Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11721
Cheers,
Moritz
Marked as found in versions ioquake3/1.36+u20170720+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 04 Aug 2017 21:09:02 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Fri, 04 Aug 2017 21:09:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Fri, 04 Aug 2017 21:09:07 GMT) (full text, mbox, link).
Message #12 received at 870725-close@bugs.debian.org (full text, mbox, reply):
Source: ioquake3
Source-Version: 1.36+u20170803+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
ioquake3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870725@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated ioquake3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 04 Aug 2017 18:34:40 +0100
Source: ioquake3
Binary: ioquake3 ioquake3-server
Architecture: source
Version: 1.36+u20170803+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 870725
Description:
ioquake3 - Game engine for 3D first person shooter games
ioquake3-server - Engine for 3D first person shooter games - server and common file
Changes:
ioquake3 (1.36+u20170803+dfsg1-1) unstable; urgency=medium
.
* New upstream snapshot
- Fix read buffer overflow in MSG_ReadBits
(CVE-2017-11721) (Closes: #870725)
- Check buffer boundary exactly in MSG_WriteBits, instead of
potentially failing with a few bytes still available
Checksums-Sha1:
c0563a648b19b81ab125f48e0b61cab31050e508 2282 ioquake3_1.36+u20170803+dfsg1-1.dsc
287ad60bfb5b04238f14593a15a67f2884600fc4 1905260 ioquake3_1.36+u20170803+dfsg1.orig.tar.xz
1b56a93b3584660bf9c71e2078179a5ffa53a032 22224 ioquake3_1.36+u20170803+dfsg1-1.debian.tar.xz
Checksums-Sha256:
64aa514975fd1cdd7ff23fe3e8472453dfe570a3b4c0c9d9da84d9afe6b93292 2282 ioquake3_1.36+u20170803+dfsg1-1.dsc
9d8283fe131b0fc5363cb6bb0896b63a410d51daf4df036b3aaf5ca33c5c4da1 1905260 ioquake3_1.36+u20170803+dfsg1.orig.tar.xz
0dcab0480a605a55cf1651b0510f88eadac6824f0ace8678f7bb4dad2132b570 22224 ioquake3_1.36+u20170803+dfsg1-1.debian.tar.xz
Files:
7daf0055f20249c5c78c2f89e722abbb 2282 games optional ioquake3_1.36+u20170803+dfsg1-1.dsc
7de062ce2c05d41a1f4c3101e226fe61 1905260 games optional ioquake3_1.36+u20170803+dfsg1.orig.tar.xz
f87c2827023bd87fcc8f03bea1b30755 22224 games optional ioquake3_1.36+u20170803+dfsg1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAlmE2y8ACgkQTej/KmPH
zJCxdQ/+N0wddLdzuef9949bd9OOD/JzpZvbdkzhrV6WKFyW3LzCILvLKJYlMuPe
GqW1tf41yl0BI9+OnXNZ2xO5Jxxc2c1mpcCsj5dQegYiLcXkUQ9PFnNesBnucvCF
iB8ITk6J+UG/hPvrJvN/JZWJOd2+YYnFVKPefXZ0GWJqGQNhmG+IX9em+U8z8oBQ
eTdnXi84fhSgYYcr5dOmpjp3vMmoHkHWEdBPKh7T3KHY8nhW54yFL52R81pgwhyA
8cF7SxBrREnNcTa7G0rlQQeUUuDSDM1Ej6cP2GVKYJwLU7WVdxipudJo1DSMwe0s
LN69qjKwEGENmFcjOMff88LerEgMxw/fbX7XFLtmZB3f8jsiqiDl68xjNYCa4rCS
b+4WuxJgWxAtuaYXe1LvUMabuBUlvqxHGDA+87Swv9qJhXL4c6B87jXjqV6pgfk+
P3aPKCor4MBmopfmrZDHo/eEkigGDjbUSRoCZmdH3ugHoWWQPyP8bpX9b0gRjjhP
8C55Mkj2D3yGzFD0dIkzkR9x67W6CmYjd3V7FCCPi4eVcZTKElNQfAbbto46TRRI
4FgyDwdZ6AXbLNjRl0Vn4gxbMqQ8u2HGDTpPxTR/pxt1mxifLWTwQgUF1wCWgUru
K5SWRzRW+kmZVOfooa8EMEVSV9SalV30n/X8cXM9OZCLSHuDF0o=
=2SzJ
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#870725; Package src:ioquake3.
(Sat, 05 Aug 2017 10:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Sat, 05 Aug 2017 10:51:02 GMT) (full text, mbox, link).
Message #17 received at 870725@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 CVE-2017-11721: read buffer overflow in MSG_ReadBits
Control: tags -1 + upstream fixed-upstream patch
Control: forwarded -1 https://github.com/ioquake/ioq3/commit/d2b1d124d4055c2fcbe5126863487c52fd58cca1
On Fri, 04 Aug 2017 at 16:30:46 +0200, Moritz Muehlenhoff wrote:
> Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11721
I have fixed this in unstable with a newer upstream snapshot. I suspect
that the bug is also present in all older suites, but I have not had
time to research that. Any suite where the upstream commit cherry-picks
successfully is probably vulnerable.
I am travelling (to Debconf) and finishing writing a talk, so I will
be unable to address this in older suites for now. If someone from the
security or games team wants to prepare and upload a backport of the
commit referenced by MITRE, please go ahead. From the commit message
and a quick read through the code, my understanding is that only the
MSG_ReadBits side is security-sensitive, with the MSG_WriteBits side
being merely for correctness (the buffer overflow check is too
pessimistic and will sometimes report an overflow when there are in
fact a few bytes left); but I could be wrong, and taking the entire
commit is probably the safer option.
The debian/stretch and debian/jessie branches in
https://anonscm.debian.org/git/pkg-games/ioquake3.git should be up to
date, and that git repository also contains the upstream commit
d2b1d124d4055c2fcbe5126863487c52fd58cca1.
Otherwise, I'll come back to this after I've given my my talk at Debconf,
assuming I can recruit someone running stable to smoke-test the new
version.
Thanks,
S
Changed Bug title to 'CVE-2017-11721: read buffer overflow in MSG_ReadBits' from 'CVE-2017-11721'.
Request was from Simon McVittie <smcv@debian.org>
to 870725-submit@bugs.debian.org.
(Sat, 05 Aug 2017 10:51:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream, patch, and upstream.
Request was from Simon McVittie <smcv@debian.org>
to 870725-submit@bugs.debian.org.
(Sat, 05 Aug 2017 10:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#870725; Package src:ioquake3.
(Sat, 05 Aug 2017 11:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(Sat, 05 Aug 2017 11:27:02 GMT) (full text, mbox, link).
Message #28 received at 870725@bugs.debian.org (full text, mbox, reply):
Control: clone -1 -2
Control: reassign -2 src:iortcw
Control: forwarded -2 https://github.com/iortcw/iortcw/commit/260c39a29af517a08b3ee1a0e78ad654bdd70934
Control: found -2 1.51+dfsg1-2
Control: fixed -2 1.51+dfsg1-3
On Sat, 05 Aug 2017 at 11:47:23 +0100, Simon McVittie wrote:
> On Fri, 04 Aug 2017 at 16:30:46 +0200, Moritz Muehlenhoff wrote:
> > Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11721
iortcw in contrib also has this. I've uploaded a fix.
Again, I don't have time to handle this for stable right now, so
security or games team members are very welcome to do so. I'll prepare
a stable update during Debconf if nobody gets there first, assuming I
can find a stable user willing to test a game from contrib.
S
Bug 870725 cloned as bug 870811
Request was from Simon McVittie <smcv@debian.org>
to 870725-submit@bugs.debian.org.
(Sat, 05 Aug 2017 11:27:03 GMT) (full text, mbox, link).
Bug reassigned from package 'src:ioquake3' to 'src:iortcw'.
Request was from Simon McVittie <smcv@debian.org>
to 870725-submit@bugs.debian.org.
(Sat, 05 Aug 2017 11:27:03 GMT) (full text, mbox, link).
No longer marked as found in versions ioquake3/1.36+u20170720+dfsg1-1.
Request was from Simon McVittie <smcv@debian.org>
to 870725-submit@bugs.debian.org.
(Sat, 05 Aug 2017 11:27:04 GMT) (full text, mbox, link).
No longer marked as fixed in versions ioquake3/1.36+u20170803+dfsg1-1.
Request was from Simon McVittie <smcv@debian.org>
to 870725-submit@bugs.debian.org.
(Sat, 05 Aug 2017 11:27:04 GMT) (full text, mbox, link).
Marked as found in versions iortcw/1.51+dfsg1-2 and reopened.
Request was from Simon McVittie <smcv@debian.org>
to 870725-submit@bugs.debian.org.
(Sat, 05 Aug 2017 11:27:05 GMT) (full text, mbox, link).
Marked as fixed in versions iortcw/1.51+dfsg1-3.
Request was from Simon McVittie <smcv@debian.org>
to 870725-submit@bugs.debian.org.
(Sat, 05 Aug 2017 11:27:06 GMT) (full text, mbox, link).
Marked as fixed in versions iortcw/1.50a+dfsg1-3+deb9u1.
Request was from Simon McVittie <smcv@debian.org>
to control@bugs.debian.org.
(Wed, 20 Sep 2017 00:24:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Simon McVittie <smcv@debian.org>
to control@bugs.debian.org.
(Wed, 20 Sep 2017 00:24:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 20 Sep 2017 00:24:04 GMT) (full text, mbox, link).
Marked as found in versions iortcw/1.50a+dfsg1-3.
Request was from Simon McVittie <smcv@debian.org>
to control@bugs.debian.org.
(Wed, 20 Sep 2017 00:24:04 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#870811.
(Wed, 20 Sep 2017 00:24:06 GMT) (full text, mbox, link).
Message #53 received at 870811-submitter@bugs.debian.org (full text, mbox, reply):
close 870811 1.50a+dfsg1-3+deb9u1
found 870811 1.50a+dfsg1-3
thanks
CVE-2017-11721 has been fixed in iortcw in all applicable suites.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 18 Oct 2017 07:25:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 12:35:14 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.