Please treat this as embargoed until further notice, and do not commit a fix or otherwise make it public until we have coordinated a release date (tentatively Friday, 18:00 UTC). This is Gentoo bug 420783, Red Hat bug Background ========== ioquake3 [IOQ] is a fork of the Quake III Arena (id Tech 3) game engine, and has become the de facto upstream for that engine since id Software ceased to develop it. It is also used (unmodified, modified or forked) in various open-source and proprietary games including OpenArena [OA], Reaction [REA], Smokin' Guns [SGN], Tremulous [TREM], Turtle Arena [TA], Urban Terror [URT] and World of Padman [WOP]. Vulnerability ============= Access vector: local Authentication required: local system Impact: overwrite a file owned by the victim with a predictable integer Since svn revision 1773, ioquake3 has written its process ID to the file /tmp/ioq3.pid (or ioq3.pid in a world-writeable location) under the following circumstances: * running on non-Mac Unix and TMPDIR not set, or set to a world-writeable location; or * running on Mac OS and FSFindFolder() for a temporary directory fails or returns a world-writeable location On a multi-user system, an attacker could create a symbolic link /tmp/ioq3.pid pointing to any file owned by a user who plays an ioquake3-based game. When the victim runs ioquake3, the target file will be overwritten and replaced with the process ID of ioquake3. The effect of this attack depends on the file being overwritten: it could be simple vandalism (destroy one of the victim's files), or it could have further security implications if knowledge of the contents of a target file is used for authentication (in a system similar to pam_dotfile [DOT], for instance). For the dedicated server, the process ID is written to ioq3_server.pid, but the attack is essentially the same. For forks of ioquake3, the filename will typically include the name of the fork, e.g. openarena.pid. Affected versions ================= * ioquake3 >= svn r1773 * OpenArena 0.8.8 * Reaction beta 1.0 * Smokin' Guns 1.1 * Tremulous "trunk" >= svn r2125 * Tremulous "gpp" >= svn r2140 * Turtle Arena >= svn r204 (all releases named Turtle Arena) * World of Padman >= 1.5.2 beta Unaffected versions =================== * ioquake3 1.36 * ioquake3 <= svn r1772 * OpenArena <= 0.8.5 * Smokin' Guns <= 1.1b4 * Tremulous "trunk" <= svn r2124 * Tremulous "gpp" <= svn r2139 * Tremulous GPP1 * Tremulous <= 1.1.0 * Turtle Arena <= svn r203 * TMNT Arena 20091211 (former name of Turtle Arena) * ioUrbanTerror 2007-12-20 client * ioUrbanTerror 2007-12-20 server * World of Padman <= 1.5.0 Solution ======== The attached patches have been reviewed by two ioquake3 maintainers. Please apply them to affected versions on or after the embargo date. Patch 0001 fixes the vulnerability by writing the pid file into the ioquake3 user's home directory (~/.q3a/ioq3.pid, ~/.openarena/openarena.pid, etc.) instead of the temporary directory. Patch 0002 is recommended, but not strictly necessary to fix the vulnerability. It removes the functions to get the temporary directory, as a precaution against other unsafe uses. References ========== [IOQ] http://ioquake3.org/ [OA] http://openarena.ws/ [REA] http://www.rq3.com/ [SGN] http://www.smokin-guns.net/ [TREM] http://tremulous.net/ [TA] http://ztm.x10hosting.com/ta/ [URT] http://www.urbanterror.info/home/ [WOP] http://worldofpadman.com/website/ [DOT] http://0pointer.de/lennart/projects/pam_dotfile/
Moving this to the Security Response product for proper tracking.
Simon, the report you supplied notes two patches, but they were not attached. Could you attach them to the bug or point out any upstream commits that fix the issues? Thanks.
Created attachment 591229 [details] [PATCH 1/2] CVE-2012-3345: write ioq3.pid to home path, not temp directory On a multi-user system, an attacker could create a symbolic link /tmp/ioq3.pid pointing to any file owned by a user who plays an ioquake3-based game. When the victim runs ioquake3, the target file will be overwritten and replaced with the process ID of ioquake3. To avoid this, write the pid to the home path (e.g. ~/.q3a on Unix). Signed-off-by: Simon McVittie <smcv>
Created attachment 591230 [details] [PATCH 2/2] CVE-2012-3345: remove Sys_TempPath() altogether, to avoid misuse Writing to a predictable filename in /tmp is not safe. Signed-off-by: Simon McVittie <smcv>
(In reply to comment #2) > Simon, the report you supplied notes two patches, but they were not > attached. Sorry, now fixed. > any upstream commits that fix the issues Those patches will (hopefully) be committed upstream when this vulnerability is announced to the public.
Thanks for the patches, Simon. We'll keep this closed until Friday (please note any changes to the unembargo date here, otherwise we'll open it at 18:00 UTC on 20120615), at which point I'll file trackers for Fedora.
(In reply to comment #0) > release date (tentatively Friday, 18:00 UTC) Release date confirmed by the ioquake3 maintainers.
(In reply to comment #7) > Release date confirmed by the ioquake3 maintainers. ... who then announced it a day early by mistake, so please un-embargo this now. Advisory: http://ioquake3.org/2012/06/14/cve-2012-3345-symlink-attack-in-ioquake3-r1773/ Patches: http://ioquake3.org/files/CVE-2012-3345/ or svn r2253
Created openarena tracking bugs for this issue Affects: fedora-all [bug 832298]
Created quake3 tracking bugs for this issue Affects: fedora-all [bug 832296]
Created tremulous tracking bugs for this issue Affects: fedora-all [bug 832297]
The upstream fix is here: https://github.com/ioquake/ioq3/commit/b5acc31a4da72cc3a4a6d88facb15b6214d745c6 I fail to see why this still hasn't been fixed in ioquake3 on Fedora (see bug #832296) but given it's been over 3 years and it's just a temp file issue, I'm closing this.