Bug#635731: ioquake3: CVE-2011-1412 remote shell injection on clients connecting to a malicious server

Thu, 28 Jul 2011 06:12:20 -0700 

Package: ioquake3
Version: 1.36+svn1946-1
Severity: grave
Tags: patch security pending
Justification: user security hole

ioquake3 1.36+svn1946-4 fixes a serious vulnerability. openarena in Debian
stable is not vulnerable to this.

>From the advisory:

> This bug has been discovered by /dev/humancontroller. Parts of the
> description here are also by him.
> 
>  * details
> 
> If an ioQuake3 client for UNIX-like systems connects to a malicious id Tech
> 3 (Point Release 1.32 compatible) server, the server can force execution of
> arbitrary shell commands on the client's system.
> 
>  * CVE
> 
> CVE-2011-1412 has been assigned for this issue.
> 
>  * severity
> 
> high
> 
>  * affected OS
> 
> All UNIXoid systems, except MacOSX:
>  - Linux
>  - FreeBSD
>  - NetBSD
>  - [...]
> 
> Not affected:
>  - Windows
>  - MacOSX
> 
>  * games affected
> 
>  - IoQuake3 after revision 1773 and before 2097
>  - World of Padman 1.5.1
>  - OpenArena packaged by some Linux distributors
> 
> Other game engines based on the ioQuake3 codebase, that have merged ioQuake3
> revision 1773, but not 2097, are also vulnerable.
> 
>  * workaround
> 
> No workaround.
> 
>  * proof of concept
> 
> Launch an ioQuake3 game server. Set the fs_game cvar to "`echo
> TROLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLO
> > trollme.txt`". Connect to the server with a recent ioQuake3 client for
> UNIX-like systems. The client should (after failing to create a directory
> with an overly long name) execute a shell command to write a file.
> 
>  * patches
> 
> Several distributors have already been contacted and have prepared patches
> for their distributions.
> A sourcecode patch can be got here:
> 
>   http://thilo.tjps.eu/download/patches/ioq3-svn-r2097.diff



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to