Bug 455458

Summary: tremulous: Multiple unfixed Quake3 engine security issues
Product: [Fedora] Fedora Reporter: Tomas Hoger <thoger>
Component: quake3Assignee: Xavier Lamien <lxtnow>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: lxtnow, metherid, peter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=gentoo
Fixed In Version: quake3-1.36-7.svn1783.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-15 20:22:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-07-15 16:43:12 UTC 
Based on search started from http://bugs.gentoo.org/show_bug.cgi?id=222119 , it
seems that tremulous packages as shipped in Fedora contains multiple unfixed
security issues, that were previously addressed in Quake3:


CVE-2006-2236:
Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60, (2) Return to
Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b allows remote attackers
to execute arbitrary commands via a long remapShader command.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=765

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=778

References:
http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded
http://www.milw0rm.com/exploits/1750
http://secunia.com/advisories/19984


CVE-2006-2082:
Directory traversal vulnerability in Quake 3 engine, as used in products
including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy
Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload cvar is
enabled, allows remote attackers to read arbitrary files from the server via
".." sequences in a .pk3 file request.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=777

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=783

References:
http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded
http://secunia.com/advisories/19984


CVE-2006-3324:
The Automatic Downloading option in the id3 Quake 3 Engine and the Icculus Quake
3 Engine (ioquake3) before revision 804 allows remote attackers to overwrite
arbitrary files in the quake3 directory (fs_homepath cvar) via a long string of
filenames, as contained in the neededpaks buffer.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=804

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=797

References:
http://www.securityfocus.com/archive/1/archive/1/438515/100/0/threaded
http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
http://secunia.com/advisories/20851


CVE-2006-3325:
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine
(ioquake3) revision 810 and earlier allows remote malicious servers to overwrite
arbitrary write-protected cvars variables on the client, such as
cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path,
via a string of cvar names and values sent from the server. NOTE: this can be
combined with another vulnerability to overwrite arbitrary files.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=811

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=813

References:
http://www.securityfocus.com/archive/1/archive/1/438515/100/0/threaded
http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
http://secunia.com/advisories/20851


CVE-2006-2875:
Stack-based buffer overflow in the CL_ParseDownload function of Quake 3 Engine
1.32c and earlier, as used in multiple products, allows remote attackers to
execute arbitrary code via a svc_download command with compressed data that
triggers the overflow during expansion.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=796

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=797

References:
http://www.securityfocus.com/archive/1/archive/1/435963/100/0/threaded
http://aluigi.altervista.org/adv/q3cbof-adv.txt
http://secunia.com/advisories/20401/

(Tremulous commits mostly seem to be syncs to quake3 trunk, so tend to have
couple of unrelated changes in them.)
Comment 1 Tomas Hoger 2008-07-15 16:44:14 UTC 
2 more CVEs allocated at around the same time as those in comment #0, but may
not affect tremulous:


CVE-2006-3401:
Stack-based buffer overflow in Quake 3 Engine as used by Quake 3: Arena 1.32b
and 1.32c allows remote attackers to cause a denial of service and possibly
execute code via long CS_ITEMS values.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=813

Tremulous does not seem to be affected.

References:
http://milw0rm.com/exploits/1977


CVE-2006-3400:
Stack-based buffer overflow in the CG_ServerCommand function in Quake 3 Engine
as used by Soldier of Fortune 2 (SOF2MP) GOLD 1.03 allows remote attackers to
cause a denial of service and possibly execute code by sending a long command
from the server.

References:
http://milw0rm.com/exploits/1976

Based on available sources, it's not clear if Quake3 / Tremulous is still
affected.  I did no find any related commit in the upstream SVN.
Comment 2 Rahul Sundaram 2010-03-24 00:14:24 UTC 
In Fedora, Quake 3 engine is a separate package.  Reassigning.
Comment 3 Rahul Sundaram 2010-05-08 20:29:15 UTC 
Ping?  This needs your immediate attention
Comment 4 Fedora Update System 2010-05-13 13:38:08 UTC 
quake3-1.36-7.svn1783.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/quake3-1.36-7.svn1783.fc13
Comment 5 Xavier Lamien 2010-05-13 13:41:14 UTC 
Updated to latest svn revision which include all fixes.
Comment 6 Fedora Update System 2010-05-13 14:31:58 UTC 
quake3-1.36-7.svn1783.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/quake3-1.36-7.svn1783.fc12
Comment 7 Fedora Update System 2010-05-15 20:22:43 UTC 
quake3-1.36-7.svn1783.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-05-15 20:43:33 UTC 
quake3-1.36-7.svn1783.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.