Bug 577810 (CVE-2010-3439)

Summary: CVE-2010-3439 alienarena: Two security issues in Quake II 3.20 (Server) (applicable to alienarena)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hdegoede, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.quakedev.com/forums/index.php?topic=53.0
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-16 21:38:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-03-29 10:33:40 UTC 
Richard Stanway posted on QuakeDev Forums page:
  [1] http://www.quakedev.com/forums/index.php?topic=53.0

two new vulnerabilities affecting also code, as present
in Alien Arena (from [1]):

A, "Multiple auto downloading DoS conditions:
   By supplying various invalid parameters to the download command,
   it is possible to cause a DoS condition by causing the server to
   crash. A path ending in . or / will crash on Linux. Supplying
   a negative offset will cause a crash on all platforms."

Proposed patch:
----------------
  [2] http://corent.proboards.com/index.cgi?action=gotopost&board=bugreport&thread=4761&post=44624

Public PoC: 
-----------
  [3] http://corent.proboards.com/index.cgi?action=gotopost&board=bugreport&thread=4761&post=44611 => 
      cmd download maps/tca-zion.bsp -123456789 

CVSSv2 Score: 4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
-------------

B, "Server-side cvar expansion:
   By passing an unexpanded string containing $macros to the
   server, the server will expand it using it's cvars. This can
   be used to leak sensitive information such as the rcon_password cvar."

Proposed patch:
---------------
  NA

Public PoC:
-----------
  [4] http://www.quakedev.com/forums/index.php?topic=53.0 =>
      At the client console: "say $rcon_password"

CVSSv2 Score: 4.0/ AV:N/AC:L/Au:S/C:P/I:N/A:N
-------------

References:
-----------
  [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575621

CVE Request:
------------
  [6] http://www.openwall.com/lists/oss-security/2010/03/29/3
Comment 1 Jan Lieskovsky 2010-03-29 10:35:58 UTC 
These issues affect the versions of the alienarena package,
as shipped with Fedora release of 11 and 12.

Please fix (once the patch for second issue is available).
Comment 2 Jan Lieskovsky 2010-04-03 16:33:20 UTC 
Reply from Richard Stanway regarding the proposed fix:
  [7] http://www.openwall.com/lists/oss-security/2010/03/29/5
Comment 3 Tom "spot" Callaway 2010-04-06 15:20:35 UTC 
Cmd_TokenizeString (s, false) is used in alienarena's sv_user.c, so the second issue does not appear to be applicable.
Comment 4 Fedora Update System 2010-04-06 18:27:49 UTC 
alienarena-7.32-3.fc12.2 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/alienarena-7.32-3.fc12.2
Comment 5 Fedora Update System 2010-04-06 18:27:54 UTC 
alienarena-7.32-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/alienarena-7.32-3.fc11
Comment 6 Fedora Update System 2010-04-06 18:28:00 UTC 
alienarena-7.33-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/alienarena-7.33-2.fc13
Comment 7 Fedora Update System 2010-04-09 01:34:29 UTC 
alienarena-7.32-3.fc12.2 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-04-09 01:46:23 UTC 
alienarena-7.32-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-04-09 03:57:00 UTC 
alienarena-7.33-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Vincent Danen 2010-12-16 21:38:12 UTC 
This is CVE-2010-3439