Based on search started from http://bugs.gentoo.org/show_bug.cgi?id=222119 , it seems that tremulous packages as shipped in Fedora contains multiple unfixed security issues, that were previously addressed in Quake3: CVE-2006-2236: Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60, (2) Return to Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b allows remote attackers to execute arbitrary commands via a long remapShader command. Quake3 fix: http://svn.icculus.org/quake3?view=rev&revision=765 Tremulous fix: http://svn.icculus.org/tremulous?view=rev&revision=778 References: http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded http://www.milw0rm.com/exploits/1750 http://secunia.com/advisories/19984 CVE-2006-2082: Directory traversal vulnerability in Quake 3 engine, as used in products including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload cvar is enabled, allows remote attackers to read arbitrary files from the server via ".." sequences in a .pk3 file request. Quake3 fix: http://svn.icculus.org/quake3?view=rev&revision=777 Tremulous fix: http://svn.icculus.org/tremulous?view=rev&revision=783 References: http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded http://secunia.com/advisories/19984 CVE-2006-3324: The Automatic Downloading option in the id3 Quake 3 Engine and the Icculus Quake 3 Engine (ioquake3) before revision 804 allows remote attackers to overwrite arbitrary files in the quake3 directory (fs_homepath cvar) via a long string of filenames, as contained in the neededpaks buffer. Quake3 fix: http://svn.icculus.org/quake3?view=rev&revision=804 Tremulous fix: http://svn.icculus.org/tremulous?view=rev&revision=797 References: http://www.securityfocus.com/archive/1/archive/1/438515/100/0/threaded http://aluigi.altervista.org/adv/q3cfilevar-adv.txt http://secunia.com/advisories/20851 CVE-2006-3325: client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine (ioquake3) revision 810 and earlier allows remote malicious servers to overwrite arbitrary write-protected cvars variables on the client, such as cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path, via a string of cvar names and values sent from the server. NOTE: this can be combined with another vulnerability to overwrite arbitrary files. Quake3 fix: http://svn.icculus.org/quake3?view=rev&revision=811 Tremulous fix: http://svn.icculus.org/tremulous?view=rev&revision=813 References: http://www.securityfocus.com/archive/1/archive/1/438515/100/0/threaded http://aluigi.altervista.org/adv/q3cfilevar-adv.txt http://secunia.com/advisories/20851 CVE-2006-2875: Stack-based buffer overflow in the CL_ParseDownload function of Quake 3 Engine 1.32c and earlier, as used in multiple products, allows remote attackers to execute arbitrary code via a svc_download command with compressed data that triggers the overflow during expansion. Quake3 fix: http://svn.icculus.org/quake3?view=rev&revision=796 Tremulous fix: http://svn.icculus.org/tremulous?view=rev&revision=797 References: http://www.securityfocus.com/archive/1/archive/1/435963/100/0/threaded http://aluigi.altervista.org/adv/q3cbof-adv.txt http://secunia.com/advisories/20401/ (Tremulous commits mostly seem to be syncs to quake3 trunk, so tend to have couple of unrelated changes in them.)
2 more CVEs allocated at around the same time as those in comment #0, but may not affect tremulous: CVE-2006-3401: Stack-based buffer overflow in Quake 3 Engine as used by Quake 3: Arena 1.32b and 1.32c allows remote attackers to cause a denial of service and possibly execute code via long CS_ITEMS values. Quake3 fix: http://svn.icculus.org/quake3?view=rev&revision=813 Tremulous does not seem to be affected. References: http://milw0rm.com/exploits/1977 CVE-2006-3400: Stack-based buffer overflow in the CG_ServerCommand function in Quake 3 Engine as used by Soldier of Fortune 2 (SOF2MP) GOLD 1.03 allows remote attackers to cause a denial of service and possibly execute code by sending a long command from the server. References: http://milw0rm.com/exploits/1976 Based on available sources, it's not clear if Quake3 / Tremulous is still affected. I did no find any related commit in the upstream SVN.
In Fedora, Quake 3 engine is a separate package. Reassigning.
Ping? This needs your immediate attention
quake3-1.36-7.svn1783.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/quake3-1.36-7.svn1783.fc13
Updated to latest svn revision which include all fixes.
quake3-1.36-7.svn1783.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/quake3-1.36-7.svn1783.fc12
quake3-1.36-7.svn1783.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
quake3-1.36-7.svn1783.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.