Bug 831115 (CVE-2012-3345)
Summary: | CVE-2012-3345 symlink attack in ioquake3 >= r1773 and derived games | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Simon McVittie <simon.mcvittie> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | jkaluza, jrusnack, security-response-team, vdanen | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-02-26 22:48:01 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 832296, 832297, 832298 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Simon McVittie
2012-06-12 08:50:25 UTC
Moving this to the Security Response product for proper tracking. Simon, the report you supplied notes two patches, but they were not attached. Could you attach them to the bug or point out any upstream commits that fix the issues? Thanks. Created attachment 591229 [details]
[PATCH 1/2] CVE-2012-3345: write ioq3.pid to home path, not temp directory
On a multi-user system, an attacker could create a symbolic link
/tmp/ioq3.pid pointing to any file owned by a user who plays an
ioquake3-based game. When the victim runs ioquake3, the target file
will be overwritten and replaced with the process ID of ioquake3.
To avoid this, write the pid to the home path (e.g. ~/.q3a on Unix).
Signed-off-by: Simon McVittie <smcv>
Created attachment 591230 [details]
[PATCH 2/2] CVE-2012-3345: remove Sys_TempPath() altogether, to avoid misuse
Writing to a predictable filename in /tmp is not safe.
Signed-off-by: Simon McVittie <smcv>
(In reply to comment #2) > Simon, the report you supplied notes two patches, but they were not > attached. Sorry, now fixed. > any upstream commits that fix the issues Those patches will (hopefully) be committed upstream when this vulnerability is announced to the public. Thanks for the patches, Simon. We'll keep this closed until Friday (please note any changes to the unembargo date here, otherwise we'll open it at 18:00 UTC on 20120615), at which point I'll file trackers for Fedora. (In reply to comment #0) > release date (tentatively Friday, 18:00 UTC) Release date confirmed by the ioquake3 maintainers. (In reply to comment #7) > Release date confirmed by the ioquake3 maintainers. ... who then announced it a day early by mistake, so please un-embargo this now. Advisory: http://ioquake3.org/2012/06/14/cve-2012-3345-symlink-attack-in-ioquake3-r1773/ Patches: http://ioquake3.org/files/CVE-2012-3345/ or svn r2253 Created openarena tracking bugs for this issue Affects: fedora-all [bug 832298] Created quake3 tracking bugs for this issue Affects: fedora-all [bug 832296] Created tremulous tracking bugs for this issue Affects: fedora-all [bug 832297] The upstream fix is here: https://github.com/ioquake/ioq3/commit/b5acc31a4da72cc3a4a6d88facb15b6214d745c6 I fail to see why this still hasn't been fixed in ioquake3 on Fedora (see bug #832296) but given it's been over 3 years and it's just a temp file issue, I'm closing this. |