Bug 455458 - tremulous: Multiple unfixed Quake3 engine security issues
Summary: tremulous: Multiple unfixed Quake3 engine security issues
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: quake3
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Xavier Lamien
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: source=gentoo
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-15 16:43 UTC by Tomas Hoger
Modified: 2010-05-15 20:43 UTC (History)
3 users (show)

Fixed In Version: quake3-1.36-7.svn1783.fc12
Clone Of:
Environment:
Last Closed: 2010-05-15 20:22:48 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2008-07-15 16:43:12 UTC
Based on search started from http://bugs.gentoo.org/show_bug.cgi?id=222119 , it
seems that tremulous packages as shipped in Fedora contains multiple unfixed
security issues, that were previously addressed in Quake3:


CVE-2006-2236:
Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60, (2) Return to
Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b allows remote attackers
to execute arbitrary commands via a long remapShader command.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=765

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=778

References:
http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded
http://www.milw0rm.com/exploits/1750
http://secunia.com/advisories/19984


CVE-2006-2082:
Directory traversal vulnerability in Quake 3 engine, as used in products
including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy
Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload cvar is
enabled, allows remote attackers to read arbitrary files from the server via
".." sequences in a .pk3 file request.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=777

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=783

References:
http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded
http://secunia.com/advisories/19984


CVE-2006-3324:
The Automatic Downloading option in the id3 Quake 3 Engine and the Icculus Quake
3 Engine (ioquake3) before revision 804 allows remote attackers to overwrite
arbitrary files in the quake3 directory (fs_homepath cvar) via a long string of
filenames, as contained in the neededpaks buffer.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=804

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=797

References:
http://www.securityfocus.com/archive/1/archive/1/438515/100/0/threaded
http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
http://secunia.com/advisories/20851


CVE-2006-3325:
client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine
(ioquake3) revision 810 and earlier allows remote malicious servers to overwrite
arbitrary write-protected cvars variables on the client, such as
cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path,
via a string of cvar names and values sent from the server. NOTE: this can be
combined with another vulnerability to overwrite arbitrary files.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=811

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=813

References:
http://www.securityfocus.com/archive/1/archive/1/438515/100/0/threaded
http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
http://secunia.com/advisories/20851


CVE-2006-2875:
Stack-based buffer overflow in the CL_ParseDownload function of Quake 3 Engine
1.32c and earlier, as used in multiple products, allows remote attackers to
execute arbitrary code via a svc_download command with compressed data that
triggers the overflow during expansion.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=796

Tremulous fix:
http://svn.icculus.org/tremulous?view=rev&revision=797

References:
http://www.securityfocus.com/archive/1/archive/1/435963/100/0/threaded
http://aluigi.altervista.org/adv/q3cbof-adv.txt
http://secunia.com/advisories/20401/

(Tremulous commits mostly seem to be syncs to quake3 trunk, so tend to have
couple of unrelated changes in them.)

Comment 1 Tomas Hoger 2008-07-15 16:44:14 UTC
2 more CVEs allocated at around the same time as those in comment #0, but may
not affect tremulous:


CVE-2006-3401:
Stack-based buffer overflow in Quake 3 Engine as used by Quake 3: Arena 1.32b
and 1.32c allows remote attackers to cause a denial of service and possibly
execute code via long CS_ITEMS values.

Quake3 fix:
http://svn.icculus.org/quake3?view=rev&revision=813

Tremulous does not seem to be affected.

References:
http://milw0rm.com/exploits/1977


CVE-2006-3400:
Stack-based buffer overflow in the CG_ServerCommand function in Quake 3 Engine
as used by Soldier of Fortune 2 (SOF2MP) GOLD 1.03 allows remote attackers to
cause a denial of service and possibly execute code by sending a long command
from the server.

References:
http://milw0rm.com/exploits/1976

Based on available sources, it's not clear if Quake3 / Tremulous is still
affected.  I did no find any related commit in the upstream SVN.


Comment 2 Rahul Sundaram 2010-03-24 00:14:24 UTC
In Fedora, Quake 3 engine is a separate package.  Reassigning.

Comment 3 Rahul Sundaram 2010-05-08 20:29:15 UTC
Ping?  This needs your immediate attention

Comment 4 Fedora Update System 2010-05-13 13:38:08 UTC
quake3-1.36-7.svn1783.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/quake3-1.36-7.svn1783.fc13

Comment 5 Xavier Lamien 2010-05-13 13:41:14 UTC
Updated to latest svn revision which include all fixes.

Comment 6 Fedora Update System 2010-05-13 14:31:58 UTC
quake3-1.36-7.svn1783.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/quake3-1.36-7.svn1783.fc12

Comment 7 Fedora Update System 2010-05-15 20:22:43 UTC
quake3-1.36-7.svn1783.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2010-05-15 20:43:33 UTC
quake3-1.36-7.svn1783.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.